a User object
<algorithm>$<iterations>$<salt>$<hash> Those are the components used
for storing a Users password, separated by the dollar-sign character
and consist of: the hashing algorithm, the number of algorithm
iterations (work factor), the random salt, and the resulting password
hash. The algorithm is one of a number of one-way hashing or password
storage algorithms Django can use; see below. Iterations describe the
number of times the algorithm is run over the hash. Salt is the random
seed used and the hash is the result of the one-way function.
I installed the Bcrypted library in the settings.py file...
What else do I need to do to use Bcrypt?
I'm not sure what that first sentence means. You need to put the following in settings.py:
use Bcrypt to validate a password a user provides upon login against
the hashed version stored in the database.
You can do that manually:
The django.contrib.auth.hashers module provides a set of functions to
create and validate hashed password. You can use them independently
from the User model.
If youd like to manually authenticate a user by comparing a plain-text password to the hashed
password in the database, use the convenience function
check_password(). It takes two arguments: the plain-text password to
check, and the full value of a users password field in the database
to check against, and returns True if they match, False otherwise.
To authenticate a given username and password, use authenticate(). It takes credentials in the form of
keyword arguments, for the default configuration this is username and
password, and it returns a User object if the password is valid for
the given username. If the password is invalid, authenticate() returns
from django.contrib.auth import authenticate
user = authenticate(username='john', password='password to check')
if user is not None:
# the password verified for the user
print("User is valid, active and authenticated")
print("The password is valid, but the account has been disabled!")
# the authentication system was unable to verify the username and password
print("The username and password were incorrect.")
Those are the defaults: there is no entry in my settings.py for PASSWORD_HASHERS.
PASSWORD_HASHERS = (
(django186p34)~/django_projects/dj1$ python manage.py shell
Python 3.4.3 (v3.4.3:9b73f1c3e601, Feb 23 2015, 02:52:03)
[GCC 4.2.1 (Apple Inc. build 5666) (dot 3)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> from django.conf import settings
Note the bcrypt hashers at the front of the tuple.
>>> from django.contrib.auth.models import User
>>> user = User.objects.get(username='ea87')
You can see that the password has changed to a bcrypt version.
I upvoted, because a lot of the ideas helped me to find out what confused me; put in short for those confused in future: the hashes produced by BCrypt (which is what php currently uses) are not at all in the form <algorithm>$<iterations>$<salt>$<hash> as stated in the docs, but as you can see at the end of the answer (only not with "_sha256", at least that's how my php hashes were encrypted -> imported into django! :))