Password Hashing Domain Explainer#

Purpose: Technical concepts and terminology glossary for business stakeholders (CTOs, PMs, executives) to understand password hashing in Python applications.

Target Audience: Non-cryptography experts who need to make informed decisions about authentication security.

1. Core Technical Concepts#

1.1 Password Hashing vs Encryption#

Password hashing is a one-way transformation that creates a fixed-size “fingerprint” of a password. Unlike encryption, hashing is intentionally irreversible.

Why one-way?

• If an attacker steals your database, they get hashes, not passwords
• Even system administrators cannot see user passwords
• Users’ passwords on other sites remain protected (people reuse passwords)

Critical distinction:

• Encryption: Reversible with a key (use for data you need to read later)
• Hashing: Irreversible (use for passwords)

Never encrypt passwords. If someone steals the encryption key, all passwords are exposed instantly. With hashing, attackers must brute-force each password individually.

1.2 Why Password Hashing is Intentionally Slow#

Regular hash functions (SHA-256, MD5) are designed to be fast. Password hashing algorithms are designed to be slow.

The math:

• SHA-256: ~10,000,000 hashes/second on commodity hardware
• Argon2: ~5 hashes/second (with proper settings)

Why this matters:

• If an attacker steals 1 million password hashes…
• With SHA-256: Test all common passwords in seconds
• With Argon2: Testing takes weeks to months

The goal: Make brute-force attacks economically infeasible.

1.3 Memory-Hard Algorithms#

Memory-hardness means the algorithm requires large amounts of RAM to compute.

Why it matters:

• GPUs can run thousands of simple operations in parallel
• But GPUs have limited memory per core
• Memory-hard algorithms force sequential memory access
• This limits how many passwords can be tested simultaneously

Memory-hard algorithms: Argon2, scrypt NOT memory-hard: bcrypt, PBKDF2

Real-world impact:

• bcrypt: Attackers can use GPU clusters effectively
• Argon2 (128 MiB): Each GPU core needs 128 MB RAM, severely limiting parallelism

1.4 Salting#

A salt is random data added to each password before hashing.

Without salt (DANGEROUS):

hash("password123") → "ef92b778..."  # Same for all users

If two users have the same password, they have the same hash. Attackers can build “rainbow tables” of pre-computed hashes.

With salt (CORRECT):

hash("password123" + "randomsalt1") → "a1b2c3d4..."
hash("password123" + "randomsalt2") → "x9y8z7w6..."  # Different!

Same password, different hashes. Rainbow tables become useless.

Best practice: All modern password hashing libraries generate unique salts automatically.

1.5 Work Factor / Cost Parameter#

The work factor (also called “cost” or “rounds”) controls how slow the hashing algorithm runs.

bcrypt example:

• cost=10: ~75ms per hash
• cost=12: ~300ms per hash
• cost=14: ~1.2s per hash

Why adjustable?

• Hardware gets faster every year
• You want hashing to take 250-500ms
• Increase work factor as CPUs improve

OWASP recommendation: Tune to 250-500ms on your production hardware.

1.6 Argon2 Variants#

Argon2 has three variants designed for different threat models:

Argon2id is the recommended variant for password hashing because it provides balanced protection against both GPU attacks (like Argon2d) and timing attacks (like Argon2i).

2. Security Concepts#

2.1 Brute Force Attacks#

Brute force: Trying every possible password until finding a match.

Attack cost factors:

• Number of passwords to try
• Time per hash attempt
• Hardware cost (GPUs, ASICs)
• Electricity cost

Defense: Make each hash attempt expensive (time + memory).

2.2 Dictionary Attacks#

Dictionary attack: Trying common passwords and variations.

Facts:

• “123456” is still the most common password
• Top 1000 passwords cover ~10% of accounts
• Attackers have lists of billions of leaked passwords

Defense: Password hashing makes each guess expensive. Also: enforce password complexity requirements.

2.3 Rainbow Tables#

Rainbow table: Pre-computed database of hash → password mappings.

Attack: Look up stolen hash in table, instantly get password.

Defense: Salting. Each password has unique salt, so pre-computed tables are useless.

Note: All modern password hashing libraries handle salting automatically.

2.4 Side-Channel Attacks#

Side-channel: Extracting information from physical implementation, not the algorithm itself.

Examples:

• Timing attacks: Measuring how long operations take
• Power analysis: Measuring electrical consumption
• Cache attacks: Observing memory access patterns

Relevance: Mostly affects cloud/shared hosting where attackers can observe your server.

Defense: Argon2id (hybrid variant) is designed to resist side-channel attacks.

2.5 Credential Stuffing#

Credential stuffing: Using leaked username/password pairs from one site to attack another.

Why it works: 65% of people reuse passwords across sites.

Why password hashing matters: Even if your database is breached, properly hashed passwords can’t be used to attack other sites.

3. Algorithm Landscape#

3.1 OWASP Recommendations (2025)#

The Open Web Application Security Project (OWASP) maintains authoritative security guidance.

Current priority order:

1. Argon2id (PRIMARY) - Memory-hard, PHC winner
2. scrypt (SECONDARY) - Memory-hard, if Argon2 unavailable
3. bcrypt (LEGACY) - For existing systems only
4. PBKDF2 (FIPS) - Only if FIPS-140 compliance required

3.2 Algorithm Comparison#

3.3 Why Argon2 Won#

The Password Hashing Competition (2013-2015) evaluated algorithms on:

• Security against known attacks
• Memory-hardness
• Resistance to side-channels
• Performance characteristics
• Simplicity and implementability

Argon2 won because it provided the best balance across all criteria.

3.4 FIPS-140 Compliance#

FIPS-140 is a US government security standard for cryptographic modules.

Who needs it?

• US federal agencies
• Federal contractors
• Healthcare (HIPAA) with government data
• Financial services with government work

The catch: Only PBKDF2 is FIPS-approved for password hashing. Argon2 is not (yet).

If you need FIPS: Use PBKDF2 with at least 600,000 iterations.

4. Library Ecosystem#

4.1 Python Library Landscape#

4.2 Why passlib Should Be Avoided#

passlib was once the standard choice. It’s now abandoned:

• Last release: October 2020 (4+ years ago)
• No Python 3.13 support
• Known compatibility issues
• FastAPI and Ansible have migrated away

If you have passlib: Migrate to argon2-cffi or libpass (maintained fork).

4.3 PyCA (Python Cryptographic Authority)#

PyCA is a trusted organization maintaining critical Python security libraries:

• cryptography
• bcrypt
• PyNaCl
• pyOpenSSL

Why it matters: Organization-backed libraries have better long-term sustainability than individual-maintained projects.

5. Business Considerations#

5.1 Breach Cost Impact#

Average data breach cost (2024): $4.4 million

Password hashing impact on breach severity:

• Weak/no hashing: Immediate password exposure
• Strong hashing: Attackers get hashes, not passwords
• Difference: Weeks to months of protection for users to change passwords

5.2 Compliance Requirements#

5.3 Performance vs Security Trade-off#

The tension:

• Slower hashing = better security
• Slower hashing = worse user experience
• Slower hashing = higher server load

Sweet spot: 250-500ms per hash

• Secure enough for most applications
• Fast enough for good user experience
• Manageable server load

High-security applications: Accept 500ms+ latency.

5.4 DoS Risk#

Password hashing is CPU/memory intensive. Attackers can abuse this.

Attack: Send many login requests to exhaust server resources.

Defense:

• Rate limiting on authentication endpoints
• CAPTCHA after failed attempts
• Account lockout policies
• Queue-based authentication processing

6. Common Misconceptions#

6.1 “More downloads = better”#

bcrypt has 3x more PyPI downloads than argon2-cffi.

Reality: This reflects legacy adoption, not current best practice. OWASP explicitly recommends Argon2 over bcrypt for new projects.

6.2 “bcrypt is insecure”#

Reality: bcrypt is still secure and acceptable. It’s just not optimal:

• Not memory-hard (GPU-vulnerable)
• 72-byte password limit
• Newer algorithms are better

Recommendation: No urgent need to migrate existing bcrypt systems, but use Argon2 for new projects.

6.3 “Password hashing is encryption”#

Reality: They’re fundamentally different:

• Encryption is reversible (with key)
• Hashing is one-way (irreversible)

Never encrypt passwords. Always hash them.

6.4 “SHA-256 is secure for passwords”#

Reality: SHA-256 is a secure hash function, but it’s too fast for password hashing. Attackers can try billions of passwords per second.

Password hashing algorithms (Argon2, bcrypt) are intentionally slow to resist brute-force attacks.

6.5 “Longer passwords don’t matter with hashing”#

Reality: Longer passwords dramatically increase brute-force time:

• 8-character: Hours to days
• 12-character: Months to years
• 16-character: Effectively impossible

Encourage users to use longer passwords/passphrases.

7. Key Takeaways#

For Engineering Decisions#

1. New projects: Use argon2-cffi with default settings
2. Existing bcrypt: Keep it, no urgent migration needed
3. FIPS required: Use PBKDF2 with 600,000+ iterations
4. Using passlib: Migrate to argon2-cffi or libpass

For Security Policy#

1. Algorithm: Argon2id (or bcrypt for legacy)
2. Target latency: 250-500ms per hash
3. Password requirements: 12+ characters minimum
4. Rate limiting: Required on all auth endpoints
5. Monitoring: Log and alert on authentication failures

For Compliance#

1. SOC2/HIPAA/PCI-DSS: Argon2 or bcrypt acceptable
2. FIPS-140: PBKDF2 only (for now)
3. Document choices: Maintain security decision records

Glossary#

ASIC: Application-Specific Integrated Circuit - Custom hardware for specific computations (like password cracking)

Brute force: Systematically trying all possible passwords

Cost parameter: Setting that controls how slow password hashing runs

GPU: Graphics Processing Unit - Can run many password hash attempts in parallel

Hash: Fixed-size output from a hash function, regardless of input size

Memory-hard: Algorithm requiring large amounts of RAM, limiting parallel attacks

OWASP: Open Web Application Security Project - Security standards organization

Password Hashing Competition (PHC): 2013-2015 competition that selected Argon2

PBKDF2: Password-Based Key Derivation Function 2 - Older, FIPS-approved algorithm

PyCA: Python Cryptographic Authority - Organization maintaining Python crypto libraries

Rainbow table: Pre-computed database of hash-to-password mappings

Salt: Random data added to password before hashing to ensure unique outputs

Side-channel attack: Extracting secrets from physical implementation (timing, power, etc.)

Work factor: Same as cost parameter - controls hash computation time

Document Version: 1.0 Last Updated: 2025-12-11 Target Audience: CTOs, Product Managers, Security Officers Prerequisites: None (designed for non-cryptography experts)

S1 Rapid Discovery: Password Hashing Libraries#

Approach#

Time budget: 30 minutes Goal: Identify the de facto standard Python password hashing library based on popularity metrics, security track record, and OWASP recommendations.

Selection Criteria#

1. PyPI download volume - ecosystem adoption signal
2. Security track record - CVE history, vulnerability disclosures
3. OWASP recommendation status - official security guidance
4. Maintenance status - active development, recent releases
5. Organization backing - individual vs organization maintainer

Libraries Evaluated#

OWASP 2025 Priority Order#

1. Argon2id - Primary recommendation (PHC winner)
2. scrypt - Fallback when Argon2 unavailable
3. bcrypt - Legacy systems only
4. PBKDF2 - FIPS-140 compliance only

Quick Decision Framework#

• New project? → argon2-cffi (OWASP #1)
• Existing bcrypt codebase? → Keep bcrypt, plan migration
• FIPS compliance required? → PBKDF2 via hashlib
• Need algorithm abstraction? → Consider pwdlib (modern) or libpass (passlib fork)

argon2-cffi#

Overview#

Python binding to the Argon2 password hashing algorithm, winner of the 2015 Password Hashing Competition.

Key Metrics#

Maintainer#

Hynek Schlawack (individual developer)

• Well-known Python community member
• Also maintains attrs, structlog
• Supported by Variomedia AG, Tidelift, GitHub Sponsors

Security Status#

• CVEs: 0 (none found)
• Snyk scan: No vulnerabilities, no malware
• Security contact: [email protected]

Key Features#

• High-level PasswordHasher API with sensible defaults
• Uses Argon2id variant by default (recommended)
• Automatic random salt generation
• RFC 9106 low-memory profile by default
• Fully typed (type hints throughout)
• Can verify any Argon2 variant

API Design#

from argon2 import PasswordHasher

ph = PasswordHasher()
hash = ph.hash("password")
ph.verify(hash, "password")  # Returns True or raises exception
ph.check_needs_rehash(hash)  # Check if parameters need updating

Default Parameters (v25.1.0)#

• Memory: 47,104 KiB (46 MiB) - RFC 9106 low-memory profile
• Time cost: 1 iteration
• Parallelism: 1

OWASP Recommendations#

Argon2id minimum configuration:

• Memory: 19 MiB (m=19456)
• Iterations: 2 (t=2)
• Parallelism: 1 (p=1)

Stronger configuration:

• Memory: 46 MiB (m=47104) ← argon2-cffi default
• Iterations: 1 (t=1)
• Parallelism: 1 (p=1)

Why Argon2?#

1. PHC Winner (2015) - Peer-reviewed, competition-hardened
2. Memory-hard - Resists GPU/ASIC attacks
3. Side-channel resistant (Argon2id variant)
4. Modern design - Addresses bcrypt/scrypt limitations
5. OWASP #1 recommendation for password storage

Verdict#

RECOMMENDED for all new projects. Zero CVEs, OWASP primary recommendation, excellent API design, active maintenance.

bcrypt#

Overview#

Python binding to the bcrypt password hashing algorithm via PyCA (Python Cryptographic Authority).

Key Metrics#

Maintainer#

PyCA (Python Cryptographic Authority) - Trusted organization

• Also maintains cryptography, pyOpenSSL
• Industry-standard cryptographic libraries
• Strong security practices

Security Status#

• CVEs: 0 (current versions)
• Historical: CVE-2013-1895 (old py-bcrypt <0.3, fixed)
• v5.0.0 security improvement: Now raises ValueError for passwords >72 bytes (was silently truncated)

Key Features#

• Simple 3-function API
• Automatic salt generation
• Adjustable work factor (cost parameter)
• Implemented in Rust (as of recent versions)
• 72-byte password limit (enforced in v5.0.0)

API Design#

import bcrypt

# Hash a password
salt = bcrypt.gensalt(rounds=12)  # Work factor
hashed = bcrypt.hashpw(b"password", salt)

# Verify a password
bcrypt.checkpw(b"password", hashed)  # Returns True/False

Performance#

• Design goal: Intentionally slow (~103 hashes/sec)
• Default rounds: 12 (≈300ms)
• OWASP guidance: Tune to 250-500ms on production hardware
• Comparison: SHA-256 is ~1,200x faster (that’s the point)

Limitations#

1. 72-byte password limit - Passwords truncated beyond this
2. No memory-hardness - Vulnerable to GPU attacks (compared to Argon2)
3. Legacy status - OWASP recommends Argon2 for new systems

OWASP Status#

• Recommendation: “Only for legacy systems where Argon2 and scrypt are not available”
• Work factor: Minimum 10, recommend 12+
• Still acceptable: For systems requiring <1 second authentication

Verdict#

ACCEPTABLE for existing systems, NOT recommended for new projects. 3x more downloads than argon2-cffi due to legacy adoption, but OWASP explicitly recommends Argon2 over bcrypt for new development.

hashlib.scrypt (Python stdlib)#

Overview#

Built-in scrypt implementation in Python’s hashlib module, available since Python 3.6.

Key Metrics#

API Design#

import hashlib
import os

# Generate hash
salt = os.urandom(16)
dk = hashlib.scrypt(
    b"password",
    salt=salt,
    n=2**14,      # CPU/memory cost (power of 2)
    r=8,          # Block size
    p=1,          # Parallelization
    maxmem=64*1024*1024,  # Max memory (64 MiB)
    dklen=64      # Output length
)

Parameters#

Memory calculation: 128 × n × r × p bytes

Security Considerations#

Strengths:

• Memory-hard (resists GPU/ASIC attacks)
• Part of Python stdlib (no external dependencies)
• Designed by Colin Percival (2009)

Limitations:

1. Parameter coupling - n controls BOTH time AND memory (cannot tune independently)
2. Salt management - Must generate unique salts manually
3. No high-level API - Raw primitive, easy to misuse
4. Requires OpenSSL 1.1+ - Not available on older systems

OWASP Status#

• Priority: #2 (after Argon2id)
• Recommendation: “Use when Argon2id unavailable”
• Configuration: n=2^17, r=8, p=1 minimum

Standalone scrypt Libraries#

Recommendation: Use hashlib.scrypt on Python 3.6+. Use scrypt package for older Python.

Why Argon2 Over scrypt?#

1. Independent parameters - Argon2 separates time and memory costs
2. PHC winner - More recent, competition-hardened design
3. Side-channel resistance - Argon2id variant addresses this
4. Better defaults - argon2-cffi provides safe defaults

Verdict#

ACCEPTABLE as Argon2 fallback. Stdlib availability is convenient, but parameter coupling makes tuning difficult. Prefer argon2-cffi for new projects per OWASP guidance.

passlib#

Overview#

Comprehensive password hashing framework supporting 30+ algorithms. UNMAINTAINED since October 2020.

Key Metrics#

Maintainer#

Eli Collins (individual developer)

• Organization: Assurance Technologies, LLC
• Status: No activity since 2020

Security Status#

• Formal CVEs: 0 assigned
• Known issues:
  • bcrypt_sha256 unsalted prehash vulnerability (EUVDB #VU28246)
  • DoS via wildcard passwords (SNYK-PYTHON-PASSLIB-40761)
• Compatibility: Incompatible with bcrypt 4.x (must pin <=4.0.0)

Supported Algorithms#

Modern (recommended):

• Argon2 (argon2id)
• BCrypt, BCrypt+SHA256
• SCrypt
• PBKDF2 (multiple variants)

Legacy (compatibility only):

• Unix crypt variants (DES, MD5, SHA256, SHA512)
• Windows NTLM, LanMan
• Oracle, MySQL, PostgreSQL hashes
• LDAP schemes
• Many others

API Design#

from passlib.hash import argon2

# Hash
hash = argon2.hash("password")

# Verify
argon2.verify("password", hash)

# CryptContext for migration
from passlib.context import CryptContext
ctx = CryptContext(schemes=["argon2", "bcrypt"], deprecated="auto")

Why Projects Used Passlib#

1. Algorithm abstraction - Easy migration between algorithms
2. CryptContext - Automatic hash upgrades on login
3. Legacy support - Verify old hashes during migration
4. Comprehensive - One library for all algorithms

Critical Problems (2025)#

1. Unmaintained 4+ years - No releases since October 2020
2. No Python 3.13 support - crypt module removed in 3.13
3. bcrypt 4.x incompatible - Must pin old versions
4. Community exodus - FastAPI, Ansible migrating away
5. Security debt - No patches for reported issues

Active Alternatives#

Verdict#

DO NOT USE for new projects. Unmaintained for 4+ years with known compatibility issues. For existing passlib deployments, plan migration to libpass (fork) or direct argon2-cffi/bcrypt usage.

S1 Recommendation: argon2-cffi#

Decision (Made in 15 minutes)#

WINNER: argon2-cffi library

Installation: pip install argon2-cffi

Rationale: OWASP + Zero CVEs + Modern Design#

Security Authority Alignment#

• OWASP 2025: Argon2id is #1 recommendation for password storage
• PHC 2015: Argon2 won the Password Hashing Competition
• CVE History: Zero vulnerabilities in argon2-cffi

Download Trends Tell the Story#

bcrypt’s higher downloads reflect legacy adoption, not current best practice.

Requirements Alignment#

Decision Matrix#

Why Not the Alternatives?#

bcrypt:

• OWASP: “Only for legacy systems”
• Not memory-hard (GPU vulnerable)
• 72-byte password limit
• Still acceptable, just not preferred

passlib:

• UNMAINTAINED since October 2020
• No Python 3.13 support
• FastAPI/Ansible migrating away
• Use libpass fork if needed

hashlib.scrypt:

• OWASP #2 (fallback position)
• Parameter coupling problem
• No high-level API
• Acceptable when Argon2 unavailable

Quick Start#

from argon2 import PasswordHasher

ph = PasswordHasher()

# Hash password
hash = ph.hash("user_password")

# Verify password
try:
    ph.verify(hash, "user_password")
    # Check if rehash needed (parameter updates)
    if ph.check_needs_rehash(hash):
        new_hash = ph.hash("user_password")
except argon2.exceptions.VerifyMismatchError:
    # Invalid password
    pass

Decision Confidence: VERY HIGH#

When OWASP explicitly ranks Argon2id as #1 and the library has:

• Zero CVEs
• Active maintenance
• Excellent API
• Sensible defaults

The choice is clear. Use argon2-cffi for all new password hashing.

Migration Note#

For existing bcrypt deployments:

1. Add argon2-cffi alongside bcrypt
2. Hash new passwords with Argon2
3. Verify old passwords with bcrypt
4. Re-hash to Argon2 on successful login
5. Eventually deprecate bcrypt verification

API Design Comparison: Password Hashing Libraries#

Design Philosophy Spectrum#

API Comparison#

argon2-cffi#

from argon2 import PasswordHasher
from argon2.exceptions import VerifyMismatchError

ph = PasswordHasher()

# Hash (automatic salt, sensible defaults)
hash = ph.hash("password")

# Verify (constant-time comparison)
try:
    ph.verify(hash, "password")
except VerifyMismatchError:
    # Invalid password
    pass

# Check if rehash needed (parameter updates)
if ph.check_needs_rehash(hash):
    new_hash = ph.hash("password")

Strengths:

• Sensible defaults (OWASP-compliant out of box)
• Exception-based verification (forces error handling)
• Built-in rehash detection for parameter migration
• Fully typed (IDE support)

Weaknesses:

• Exception-based API controversial (some prefer bool)

bcrypt#

import bcrypt

# Hash (must generate salt explicitly)
salt = bcrypt.gensalt(rounds=12)
hashed = bcrypt.hashpw(b"password", salt)

# Verify (returns bool)
if bcrypt.checkpw(b"password", hashed):
    # Valid password
    pass

Strengths:

• Simple 3-function API
• Boolean verification (familiar pattern)
• Explicit salt generation

Weaknesses:

• Must remember to generate salt
• Bytes-only API (encoding required)
• No built-in rehash detection
• Silent truncation at 72 bytes (fixed in v5.0.0)

passlib#

from passlib.hash import argon2

# Hash
hash = argon2.hash("password")

# Verify
if argon2.verify("password", hash):
    # Valid
    pass

# CryptContext for migration
from passlib.context import CryptContext
ctx = CryptContext(schemes=["argon2", "bcrypt"], deprecated="auto")

hash = ctx.hash("password")
valid = ctx.verify("password", hash)
needs_update = ctx.needs_update(hash)

Strengths:

• CryptContext for algorithm migration
• Automatic deprecated hash detection
• Unified API across algorithms

Weaknesses:

• Unmaintained (no Python 3.13)
• bcrypt 4.x incompatibility
• Complex configuration

hashlib.scrypt#

import hashlib
import os

# Hash (manual everything)
salt = os.urandom(16)
dk = hashlib.scrypt(
    b"password",
    salt=salt,
    n=2**17,
    r=8,
    p=1,
    maxmem=128*1024*1024,
    dklen=64
)

# Verify (manual comparison)
import hmac
stored_salt = ...  # retrieve from storage
stored_hash = ...  # retrieve from storage
computed = hashlib.scrypt(b"password", salt=stored_salt, n=2**17, r=8, p=1)
if hmac.compare_digest(computed, stored_hash):
    # Valid
    pass

Strengths:

• No external dependencies
• Full control over parameters

Weaknesses:

• No high-level API
• Manual salt management
• Manual constant-time comparison
• Easy to misuse

Feature Matrix#

Common Mistakes Prevented#

argon2-cffi#

# PREVENTED: Can't forget salt (automatic)
# PREVENTED: Can't use weak parameters (sensible defaults)
# PREVENTED: Can't use timing-vulnerable comparison (built-in)

bcrypt#

# POSSIBLE MISTAKE: Forgetting to generate salt
bcrypt.hashpw(b"password", b"$2b$12$...")  # Works but wrong

# POSSIBLE MISTAKE: Using non-constant-time comparison
if stored_hash == bcrypt.hashpw(b"password", stored_hash):  # Timing attack

# FIXED in v5.0.0: Password truncation (now raises ValueError)

hashlib.scrypt#

# POSSIBLE MISTAKE: Reusing salt
salt = b"static_salt"  # WRONG - must be unique per password

# POSSIBLE MISTAKE: Weak parameters
hashlib.scrypt(b"password", salt=salt, n=1024, r=1, p=1)  # Too weak

# POSSIBLE MISTAKE: Non-constant-time comparison
if computed_hash == stored_hash:  # Timing attack

API Usability Scoring#

Recommendation#

For new projects: argon2-cffi (best defaults, hard to misuse)

For migrations: libpass (maintained passlib fork) or implement dual-verify pattern:

from argon2 import PasswordHasher
import bcrypt

ph = PasswordHasher()

def verify_and_upgrade(password: str, stored_hash: str) -> tuple[bool, str | None]:
    """Verify password, return new hash if upgrade needed."""

    # Try Argon2 first
    if stored_hash.startswith("$argon2"):
        try:
            ph.verify(stored_hash, password)
            new_hash = ph.hash(password) if ph.check_needs_rehash(stored_hash) else None
            return True, new_hash
        except:
            return False, None

    # Fall back to bcrypt
    if stored_hash.startswith("$2"):
        if bcrypt.checkpw(password.encode(), stored_hash.encode()):
            return True, ph.hash(password)  # Upgrade to Argon2
        return False, None

    return False, None

S2 Comprehensive Analysis: Password Hashing Libraries#

Approach#

Time budget: 2-4 hours Goal: Deep technical comparison of password hashing libraries across security, performance, API design, and maintenance dimensions.

Evaluation Dimensions#

1. Security Analysis

   • Algorithm strength and design
   • CVE history and response time
   • Side-channel resistance
   • GPU/ASIC attack resistance

2. Performance Characteristics

   • Memory requirements
   • CPU cost tunability
   • Throughput under load
   • Parameter flexibility

3. API Design & Usability

   • Ease of correct use
   • Misuse resistance
   • Migration support
   • Type safety

4. Maintenance & Governance

   • Release frequency
   • Maintainer structure
   • Funding model
   • Community health

Libraries Analyzed#

Performance Comparison: Password Hashing Libraries#

Design Philosophy#

Password hashing algorithms are intentionally slow. The goal is to make brute-force attacks computationally expensive while keeping legitimate authentication acceptable.

Target latency: 250-500ms per hash (OWASP recommendation)

Algorithm Performance Characteristics#

Argon2id (argon2-cffi)#

Tunability: Independent control of memory and time costs (major advantage over scrypt).

bcrypt#

Limitation: Cannot increase memory usage. Rounds increase time exponentially (2^rounds).

scrypt (hashlib.scrypt)#

Limitation: N controls BOTH time AND memory (cannot tune independently).

Throughput Under Load#

Authentication throughput on typical server (4 cores, 16GB RAM):

Note: Lower throughput = higher security (by design).

Memory Scaling#

Implication: Memory-hard algorithms need capacity planning. bcrypt is memory-efficient.

Latency Benchmarks#

Measured on Intel i7-10700K @ 3.8GHz:

argon2-cffi (v25.1.0)#

bcrypt (v5.0.0)#

hashlib.scrypt#

DoS Considerations#

High-cost password hashing can be exploited for DoS attacks.

Best practice: Implement rate limiting before password hashing to prevent CPU/memory exhaustion.

Performance Scoring#

Recommendation by Workload#

S2 Comprehensive Recommendation#

Overall Scoring#

Primary Recommendation: argon2-cffi#

Winner: argon2-cffi

Why argon2-cffi Wins#

1. Best algorithm: Argon2id is OWASP #1 recommendation
2. Zero CVEs: Clean security record
3. Modern design: Memory-hard, side-channel resistant
4. Excellent API: Safe defaults, hard to misuse
5. Active maintenance: Python 3.13+ support, recent releases

When bcrypt is Acceptable#

• Existing bcrypt codebase (don’t rewrite just for this)
• Memory-constrained environments
• Need maximum throughput (cost=10)
• Legacy Python 2 support required

When to Avoid#

Recommended Configurations#

argon2-cffi (New Projects)#

from argon2 import PasswordHasher, Type

# Standard web application
ph = PasswordHasher()  # Uses RFC 9106 low-memory defaults

# High-security application
ph_secure = PasswordHasher(
    time_cost=3,
    memory_cost=128 * 1024,  # 128 MiB
    parallelism=1,
    type=Type.ID
)

bcrypt (Existing Systems)#

import bcrypt

# Minimum acceptable
BCRYPT_ROUNDS = 12  # ~300ms

# Tune based on your hardware
# Target: 250-500ms per hash

Migration Path#

Phase 1: Add argon2-cffi#

# requirements.txt
argon2-cffi>=25.1.0
bcrypt>=5.0.0  # Keep for verification

Phase 2: Dual Verification#

def verify_password(password: str, stored_hash: str) -> tuple[bool, str | None]:
    """Verify password, upgrade hash if needed."""

    if stored_hash.startswith("$argon2"):
        # Already Argon2
        try:
            ph.verify(stored_hash, password)
            return True, None
        except:
            return False, None

    if stored_hash.startswith("$2"):
        # Legacy bcrypt - verify and upgrade
        if bcrypt.checkpw(password.encode(), stored_hash.encode()):
            return True, ph.hash(password)
        return False, None

    return False, None

Phase 3: Deprecate bcrypt#

After sufficient time (6-12 months), consider:

1. Force password reset for remaining bcrypt users
2. Remove bcrypt verification code
3. Simplify to Argon2-only

Final Verdict#

Default choice: pip install argon2-cffi

Security Comparison: Password Hashing Libraries#

Algorithm Security Properties#

Memory Hardness#

Memory-hard algorithms resist GPU/ASIC attacks by requiring large amounts of memory.

Why it matters: GPUs can run thousands of bcrypt/PBKDF2 instances in parallel. Memory-hard algorithms force sequential memory access, limiting parallelism.

Side-Channel Resistance#

Recommendation: Argon2id balances GPU resistance (Argon2d) with side-channel resistance (Argon2i).

CVE History#

argon2-cffi#

Assessment: Clean security record since 2015.

bcrypt (pyca/bcrypt)#

• CVE-2013-1895: Affected py-bcrypt <0.3 (fixed)
• v5.0.0: Fixed silent password truncation (security improvement)

Assessment: Excellent security record for current versions.

passlib#

Known Issues (no CVE assigned):

• EUVDB #VU28246: bcrypt_sha256 unsalted prehash (medium risk)
• SNYK-PYTHON-PASSLIB-40761: DoS via wildcard passwords
• bcrypt 4.x incompatibility

Assessment: No formal CVEs but has unpatched security issues due to abandonment.

hashlib.scrypt#

Assessment: Part of Python stdlib, inherits OpenSSL’s security posture.

Attack Resistance Analysis#

Brute Force Cost (2025 estimates)#

Based on Red Hat Research analysis for 8-character passwords:

Source: Red Hat Research, “How expensive is it to crack Argon2?”

Compromise Rate Reduction#

Security Scoring#

Recommendations by Security Requirement#

S3 Need-Driven Analysis: Password Hashing Libraries#

Approach#

Goal: Match password hashing libraries to specific use case patterns, providing actionable recommendations for common scenarios.

Use Case Categories#

1. Standard Web Application - Typical SaaS/web app authentication
2. High-Security Application - Financial, healthcare, government
3. High-Traffic API - Authentication at scale
4. Legacy Migration - Upgrading from older hashing schemes
5. FIPS Compliance - Government/regulated environments

Evaluation Framework#

For each use case:

• Requirements analysis
• Library fitness scoring
• Configuration recommendations
• Implementation patterns

S3 Need-Driven Recommendation#

Use Case Summary#

Decision Tree#

Need password hashing?
│
├─ New project?
│  ├─ Yes → argon2-cffi (default config)
│  └─ No → See migration section
│
├─ FIPS-140 required?
│  ├─ Yes → PBKDF2 via hashlib (600K+ iterations)
│  └─ No → argon2-cffi
│
├─ High-security application?
│  ├─ Yes → argon2-cffi (128 MiB, 3 iterations)
│  └─ No → argon2-cffi (default)
│
├─ Memory-constrained?
│  ├─ Yes → bcrypt (cost=12)
│  └─ No → argon2-cffi
│
└─ Migrating from legacy?
   └─ Yes → Dual verification pattern

Configuration Quick Reference#

Standard (Default)#

from argon2 import PasswordHasher
ph = PasswordHasher()  # ~200ms, 46 MiB

High Security#

ph = PasswordHasher(time_cost=3, memory_cost=128*1024)  # ~500ms, 128 MiB

Memory Constrained#

import bcrypt
salt = bcrypt.gensalt(rounds=12)  # ~300ms, 4 KB

FIPS Compliant#

import hashlib
dk = hashlib.pbkdf2_hmac('sha256', password, salt, 600000)

Implementation Checklist#

All Projects#

• Use argon2-cffi for new password hashing
• Implement rate limiting on auth endpoints
• Log authentication events
• Use HTTPS for all password transmission
• Never store plaintext passwords

High Security#

• Increase memory_cost to 128 MiB+
• Implement pepper (application secret)
• Add multi-factor authentication
• Implement account lockout
• Security audit logging

Migration#

• Implement dual verification
• Track migration progress
• Plan timeline for legacy deprecation
• Communicate with users if forced reset needed

Final Verdict#

argon2-cffi covers 90%+ of use cases with its default configuration. Only deviate for:

• FIPS compliance → PBKDF2
• Severe memory constraints → bcrypt
• Existing bcrypt codebase → Keep + plan migration

Use Case: High-Security Application#

Scenario#

Applications with elevated security requirements:

• Financial services, healthcare, government
• Sensitive personal data
• Compliance requirements (SOC2, HIPAA, etc.)
• Sophisticated threat model

Requirements#

Library Fitness#

Recommendation: argon2-cffi (High Memory Configuration)#

Configuration#

from argon2 import PasswordHasher, Type

# High-security configuration
# - Memory: 128 MiB (2.8x default)
# - Time cost: 3 (3x default)
# - Parallelism: 1
# - Latency: ~400-500ms
ph = PasswordHasher(
    time_cost=3,
    memory_cost=128 * 1024,  # 128 MiB in KiB
    parallelism=1,
    hash_len=32,
    salt_len=16,
    type=Type.ID  # Argon2id (default, explicit for clarity)
)

Implementation Pattern#

import logging
from datetime import datetime
from argon2 import PasswordHasher, Type
from argon2.exceptions import VerifyMismatchError

logger = logging.getLogger("security")

class SecureAuthService:
    def __init__(self):
        self.ph = PasswordHasher(
            time_cost=3,
            memory_cost=128 * 1024,
            parallelism=1,
            type=Type.ID
        )

    def hash_password(self, password: str, user_id: str) -> str:
        """Hash password with audit logging."""
        hash = self.ph.hash(password)
        logger.info(f"Password hashed for user {user_id}", extra={
            "event": "password_hash",
            "user_id": user_id,
            "algorithm": "argon2id",
            "timestamp": datetime.utcnow().isoformat()
        })
        return hash

    def verify_password(
        self,
        password: str,
        hash: str,
        user_id: str,
        ip_address: str
    ) -> bool:
        """Verify password with security logging."""
        try:
            self.ph.verify(hash, password)
            logger.info(f"Successful authentication for {user_id}", extra={
                "event": "auth_success",
                "user_id": user_id,
                "ip_address": ip_address,
                "timestamp": datetime.utcnow().isoformat()
            })
            return True
        except VerifyMismatchError:
            logger.warning(f"Failed authentication for {user_id}", extra={
                "event": "auth_failure",
                "user_id": user_id,
                "ip_address": ip_address,
                "timestamp": datetime.utcnow().isoformat()
            })
            return False

    def enforce_password_policy(self, password: str) -> list[str]:
        """Validate password against security policy."""
        errors = []
        if len(password) < 12:
            errors.append("Password must be at least 12 characters")
        if not any(c.isupper() for c in password):
            errors.append("Password must contain uppercase letter")
        if not any(c.islower() for c in password):
            errors.append("Password must contain lowercase letter")
        if not any(c.isdigit() for c in password):
            errors.append("Password must contain digit")
        if not any(c in "!@#$%^&*()_+-=[]{}|;:,.<>?" for c in password):
            errors.append("Password must contain special character")
        return errors

Attack Cost Analysis#

With 128 MiB memory, 3 iterations:

Source: Red Hat Research Argon2 analysis

Additional Security Measures#

1. Hardware Security Module (HSM) for key storage
2. Pepper (application-level secret added to passwords)
3. Rate limiting with exponential backoff
4. Account lockout after failed attempts
5. Multi-factor authentication as additional layer

Pepper Implementation#

import hmac
import hashlib
import os

class PepperedAuthService(SecureAuthService):
    def __init__(self, pepper: bytes):
        super().__init__()
        # Pepper should be stored securely (HSM, env var, secrets manager)
        self.pepper = pepper

    def _apply_pepper(self, password: str) -> str:
        """Apply pepper to password before hashing."""
        return hmac.new(
            self.pepper,
            password.encode(),
            hashlib.sha256
        ).hexdigest()

    def hash_password(self, password: str, user_id: str) -> str:
        peppered = self._apply_pepper(password)
        return super().hash_password(peppered, user_id)

    def verify_password(self, password: str, hash: str, user_id: str, ip: str) -> bool:
        peppered = self._apply_pepper(password)
        return super().verify_password(peppered, hash, user_id, ip)

Compliance Considerations#

*For FIPS compliance, use PBKDF2-HMAC-SHA256 with 600,000+ iterations.

Use Case: Legacy Migration#

Scenario#

Upgrading from older password hashing schemes:

• MD5, SHA1, SHA256 (unsalted or weakly salted)
• Old bcrypt with low cost factor
• passlib-based systems
• Custom/proprietary schemes

Requirements#

Migration Strategies#

Strategy 1: Dual Verification (Recommended)#

Verify old hash formats, upgrade on successful login.

from argon2 import PasswordHasher
from argon2.exceptions import VerifyMismatchError
import bcrypt
import hashlib

class MigrationAuthService:
    def __init__(self):
        self.ph = PasswordHasher()

    def verify_and_upgrade(
        self,
        password: str,
        stored_hash: str
    ) -> tuple[bool, str | None]:
        """
        Verify password against any supported hash format.
        Returns (is_valid, new_hash_if_upgrade_needed).
        """

        # Try Argon2 first (target format)
        if stored_hash.startswith("$argon2"):
            try:
                self.ph.verify(stored_hash, password)
                # Check if parameters need updating
                if self.ph.check_needs_rehash(stored_hash):
                    return True, self.ph.hash(password)
                return True, None
            except VerifyMismatchError:
                return False, None

        # bcrypt (legacy)
        if stored_hash.startswith("$2"):
            try:
                if bcrypt.checkpw(password.encode(), stored_hash.encode()):
                    return True, self.ph.hash(password)
            except:
                pass
            return False, None

        # SHA256 (very old, insecure)
        if len(stored_hash) == 64 and stored_hash.isalnum():
            # Assuming format: sha256(password)
            computed = hashlib.sha256(password.encode()).hexdigest()
            if computed == stored_hash:
                return True, self.ph.hash(password)
            return False, None

        # MD5 (ancient, very insecure)
        if len(stored_hash) == 32 and stored_hash.isalnum():
            computed = hashlib.md5(password.encode()).hexdigest()
            if computed == stored_hash:
                return True, self.ph.hash(password)
            return False, None

        # Unknown format
        return False, None

Strategy 2: Wrap-and-Replace#

Wrap old hash with new algorithm (no password required).

def wrap_legacy_hash(old_hash: str) -> str:
    """
    Wrap legacy hash with Argon2 for immediate security upgrade.
    User can still login with original password.

    stored = argon2(old_hash)
    verify: argon2_verify(stored, legacy_hash(password))
    """
    ph = PasswordHasher()
    return ph.hash(old_hash)

def verify_wrapped(password: str, wrapped_hash: str, legacy_func) -> bool:
    """Verify against wrapped legacy hash."""
    ph = PasswordHasher()
    legacy_hash = legacy_func(password)
    try:
        ph.verify(wrapped_hash, legacy_hash)
        return True
    except:
        return False

Strategy 3: Force Reset (Last Resort)#

For severely compromised schemes or compliance requirements.

from datetime import datetime, timedelta

def identify_users_needing_reset(db) -> list:
    """Find users with legacy hashes requiring forced reset."""
    users = db.query(User).filter(
        ~User.password_hash.like("$argon2%")
    ).all()
    return users

def initiate_forced_reset(user, db):
    """Force password reset for user with legacy hash."""
    user.password_reset_required = True
    user.password_reset_deadline = datetime.utcnow() + timedelta(days=30)
    user.password_hash = None  # Invalidate old hash
    db.commit()
    send_password_reset_email(user)

Migration from passlib#

passlib is unmaintained. Migrate to direct library usage or libpass.

Option A: Direct Libraries (Recommended)#

# Before (passlib)
from passlib.context import CryptContext
ctx = CryptContext(schemes=["argon2", "bcrypt"], deprecated="auto")

# After (direct)
from argon2 import PasswordHasher
import bcrypt

ph = PasswordHasher()

def verify_and_upgrade(password: str, hash: str) -> tuple[bool, str | None]:
    if hash.startswith("$argon2"):
        try:
            ph.verify(hash, password)
            return True, None
        except:
            return False, None

    if hash.startswith("$2"):
        if bcrypt.checkpw(password.encode(), hash.encode()):
            return True, ph.hash(password)
        return False, None

    return False, None

Option B: libpass (passlib Fork)#

# pip install libpass

from libpass.context import CryptContext

# Same API as passlib, but maintained
ctx = CryptContext(schemes=["argon2", "bcrypt"], deprecated="auto")

Database Migration Tracking#

-- Add migration tracking columns
ALTER TABLE users ADD COLUMN password_algorithm VARCHAR(20);
ALTER TABLE users ADD COLUMN password_migrated_at TIMESTAMP;

-- Update on migration
UPDATE users
SET password_hash = :new_hash,
    password_algorithm = 'argon2id',
    password_migrated_at = NOW()
WHERE id = :user_id;

Migration Progress Monitoring#

def migration_stats(db) -> dict:
    """Get password migration statistics."""
    total = db.query(User).count()
    argon2 = db.query(User).filter(User.password_hash.like("$argon2%")).count()
    bcrypt = db.query(User).filter(User.password_hash.like("$2%")).count()
    legacy = total - argon2 - bcrypt

    return {
        "total_users": total,
        "argon2": argon2,
        "argon2_pct": round(argon2 / total * 100, 1),
        "bcrypt": bcrypt,
        "bcrypt_pct": round(bcrypt / total * 100, 1),
        "legacy": legacy,
        "legacy_pct": round(legacy / total * 100, 1),
        "migration_complete": legacy == 0 and bcrypt == 0
    }

Timeline Recommendation#

Use Case: Standard Web Application#

Scenario#

A typical SaaS or web application with user authentication:

• 1,000 - 100,000 users
• 10-100 logins per minute peak
• Standard security requirements
• Modern Python stack (3.10+)

Requirements#

Library Fitness#

Recommendation: argon2-cffi#

Configuration#

from argon2 import PasswordHasher

# Default configuration (RFC 9106 low-memory)
# - Memory: 46 MiB
# - Time cost: 1
# - Parallelism: 1
# - Latency: ~200ms
ph = PasswordHasher()

Implementation Pattern#

from argon2 import PasswordHasher
from argon2.exceptions import VerifyMismatchError, VerificationError

class AuthService:
    def __init__(self):
        self.ph = PasswordHasher()

    def hash_password(self, password: str) -> str:
        """Hash password for storage."""
        return self.ph.hash(password)

    def verify_password(self, password: str, hash: str) -> bool:
        """Verify password against stored hash."""
        try:
            self.ph.verify(hash, password)
            return True
        except (VerifyMismatchError, VerificationError):
            return False

    def needs_rehash(self, hash: str) -> bool:
        """Check if hash needs updating (parameter changes)."""
        return self.ph.check_needs_rehash(hash)

Database Schema#

CREATE TABLE users (
    id SERIAL PRIMARY KEY,
    email VARCHAR(255) UNIQUE NOT NULL,
    password_hash VARCHAR(255) NOT NULL,  -- Argon2 hashes are ~100 chars
    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
    updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);

Framework Integration#

FastAPI:

from fastapi import Depends, HTTPException
from argon2 import PasswordHasher

ph = PasswordHasher()

async def authenticate_user(email: str, password: str, db: Session):
    user = db.query(User).filter(User.email == email).first()
    if not user:
        raise HTTPException(401, "Invalid credentials")

    try:
        ph.verify(user.password_hash, password)
    except:
        raise HTTPException(401, "Invalid credentials")

    # Upgrade hash if needed
    if ph.check_needs_rehash(user.password_hash):
        user.password_hash = ph.hash(password)
        db.commit()

    return user

Django:

# settings.py
PASSWORD_HASHERS = [
    'django.contrib.auth.hashers.Argon2PasswordHasher',
    'django.contrib.auth.hashers.PBKDF2PasswordHasher',  # fallback
]

# pip install django[argon2]

Security Checklist#

• Use argon2-cffi default configuration
• Store only hashed passwords (never plaintext)
• Use HTTPS for password transmission
• Implement rate limiting on login endpoint
• Log failed authentication attempts
• Consider account lockout after N failures

Algorithm Trajectory Analysis#

Standards Body Adoption#

Argon2#

Trajectory: ASCENDING - Becoming the de facto standard

bcrypt#

Trajectory: STABLE-TO-DECLINING - Acceptable but being superseded

scrypt#

Trajectory: STABLE - Established but not preferred

PBKDF2#

Trajectory: DECLINING but REQUIRED for FIPS compliance

Security Research Attention#

Cryptanalysis Activity#

Recent Publications (2023-2025)#

Argon2:

• “Evaluating Argon2 Adoption and Effectiveness in Real-World Software” (2024)
• Red Hat Research: Attack cost analysis (2024)
• Multiple parameter tuning studies

bcrypt:

• Few new publications (algorithm considered “solved”)
• Focus shifting to Argon2 comparison studies

scrypt:

• Mostly comparative studies with Argon2
• Parameter optimization research

OWASP Recommendation Evolution#

Historical Timeline#

Current OWASP Priority Order (2025)#

1. Argon2id (primary)
2. scrypt (if Argon2 unavailable)
3. bcrypt (legacy systems only)
4. PBKDF2 (FIPS compliance only)

5-Year Algorithm Forecast#

Argon2#

bcrypt#

scrypt#

PBKDF2#

Post-Quantum Considerations#

Password hashing algorithms are NOT directly affected by quantum computing:

• They don’t rely on public-key cryptography
• Hash functions remain secure (Grover’s algorithm halves effective bits)
• 256-bit outputs provide 128-bit post-quantum security

Conclusion: No quantum migration needed for password hashing.

Strategic Implications#

For New Projects#

Choose Argon2 (argon2-cffi):

• Standards trajectory is ascending
• OWASP primary recommendation
• Best security properties
• Will be the standard for foreseeable future

For Existing bcrypt Projects#

No urgent migration needed:

• bcrypt remains acceptable
• Plan gradual migration over 2-5 years
• Implement dual verification for smooth transition

For FIPS Environments#

Stuck with PBKDF2:

• NIST may eventually approve Argon2
• Until then, PBKDF2 with 600K+ iterations
• Consider compensating controls

S4 Strategic Analysis: Password Hashing Libraries#

Approach#

Goal: Evaluate long-term viability, maintenance sustainability, and strategic positioning of password hashing libraries over 5-10 year horizon.

Evaluation Dimensions#

1. Maintainer Sustainability

   • Individual vs organization
   • Funding model
   • Bus factor
   • Succession planning

2. Algorithm Trajectory

   • Standards body adoption
   • Security research attention
   • Cryptographic community consensus

3. Migration Risk

   • Algorithm deprecation likelihood
   • Migration complexity
   • Breaking changes history

4. Ecosystem Health

   • Dependent packages
   • Framework integration
   • Community engagement

Maintainer Sustainability Analysis#

argon2-cffi#

Maintainer Profile#

Primary: Hynek Schlawack

• Type: Individual (well-known Python community member)
• Other projects: attrs, structlog, doc2dash, prometheus-async
• Track record: 10+ years maintaining popular Python packages
• Community standing: PSF Fellow, conference speaker

Funding Model#

Bus Factor Assessment#

Overall: MODERATE RISK (well-funded individual with strong track record)

5-Year Viability: HIGH (85%)#

Rationale:

• Stable funding model
• Strong community reputation
• Simple, focused codebase (easy to maintain)
• Algorithm is standards-track

bcrypt (PyCA)#

Maintainer Profile#

Primary: Python Cryptographic Authority (PyCA)

• Type: Organization
• Members: Multiple core maintainers (Alex Gaynor, Paul Kehrer, etc.)
• Other projects: cryptography, pyOpenSSL, PyNaCl
• Track record: 10+ years, industry standard libraries

Funding Model#

Bus Factor Assessment#

Overall: LOW RISK (organization with multiple maintainers and funding)

5-Year Viability: VERY HIGH (95%)#

Rationale:

• Organization structure with multiple maintainers
• Industry-critical infrastructure
• Stable corporate backing
• Proven 10+ year track record

passlib#

Maintainer Profile#

Primary: Eli Collins

• Type: Individual
• Status: INACTIVE since October 2020
• Organization: Assurance Technologies, LLC (defunct?)

Funding Model#

Bus Factor Assessment#

Overall: CRITICAL RISK (effectively abandoned)

5-Year Viability: VERY LOW (10%)#

Rationale:

• No releases in 4+ years
• Major frameworks migrating away (FastAPI, Ansible)
• No Python 3.13+ support
• Fork (libpass) is the continuation path

hashlib.scrypt (stdlib)#

Maintainer Profile#

Primary: Python Core Development Team

• Type: Organization (PSF-governed)
• Size: Hundreds of contributors
• Governance: PEP process, steering council

Funding Model#

Bus Factor Assessment#

Overall: VERY LOW RISK (Python Foundation backed)

5-Year Viability: VERY HIGH (99%)#

Rationale:

• Part of Python stdlib
• PSF governance guarantees maintenance
• Will exist as long as Python exists
• OpenSSL dependency is also well-maintained

Summary: Maintainer Risk Matrix#

Strategic Recommendations#

1. Safest bet: bcrypt (PyCA) or hashlib.scrypt (stdlib)
2. Best algorithm + acceptable risk: argon2-cffi
3. Avoid: passlib (use libpass fork if needed)
4. Hedge: Abstract password hashing behind interface for easy library swap

S4 Strategic Recommendation#

Overall Strategic Assessment#

Primary Recommendation: argon2-cffi#

Strategic Rationale#

1. Algorithm is winning: OWASP #1, RFC 9106, PHC winner
2. Maintainer acceptable: Well-funded individual with track record
3. Migration risk low: Algorithm will be standard for 10+ years
4. No quantum concerns: Hash functions unaffected

Risk Mitigation#

# Abstract for future flexibility
from abc import ABC, abstractmethod

class PasswordHasher(ABC):
    @abstractmethod
    def hash(self, password: str) -> str: ...

    @abstractmethod
    def verify(self, password: str, hash: str) -> bool: ...

class Argon2Hasher(PasswordHasher):
    def __init__(self):
        from argon2 import PasswordHasher as ArgonPH
        self._ph = ArgonPH()

    def hash(self, password: str) -> str:
        return self._ph.hash(password)

    def verify(self, password: str, hash: str) -> bool:
        try:
            self._ph.verify(hash, password)
            return True
        except:
            return False

# Future-proof: can swap implementation without changing interface
hasher: PasswordHasher = Argon2Hasher()

Secondary Recommendation: bcrypt (PyCA)#

When to Choose#

• Maintainer stability is paramount
• Memory constraints exist
• Existing bcrypt codebase
• Need proven 10+ year track record

Strategic Rationale#

• PyCA backing: Organization with proven sustainability
• Industry standard: Critical infrastructure status
• Algorithm acceptable: Not optimal but still secure
• Migration cost: Low if already using bcrypt

What to Avoid#

passlib#

Status: Effectively dead

• Unmaintained since October 2020
• Major frameworks migrating away
• Use libpass fork if passlib API needed

hashlib.scrypt (as primary)#

Not recommended as primary despite high viability:

• Poor API for application code
• Parameter coupling makes tuning difficult
• Argon2 is superior algorithm

Acceptable as: Fallback or stdlib-only requirement

Long-Term Strategy#

Phase 1: Current (2025)#

Phase 2: Migration (2025-2027)#

Phase 3: Consolidation (2027+)#

Decision Framework#

Choosing password hashing library (strategic view):

1. Is FIPS-140 compliance required?
   YES → PBKDF2 (hashlib.pbkdf2_hmac)
   NO → Continue

2. Is this a new project?
   YES → argon2-cffi
   NO → Continue

3. Are you currently using bcrypt?
   YES → Keep bcrypt, plan 2-year migration to Argon2
   NO → Continue

4. Are you using passlib?
   YES → Migrate to libpass OR direct argon2-cffi/bcrypt
   NO → Continue

5. Default → argon2-cffi

Final Verdict#

Strategic winner: argon2-cffi

The algorithm trajectory strongly favors Argon2, and the moderate maintainer risk is acceptable given the algorithm’s standards-track status. If argon2-cffi were to become unmaintained, another library would quickly fill the gap due to Argon2’s importance.