You should be using bcrypt.

django-bcrypt makes it easy to use bcrypt to hash passwords with Django.

Installation and Usage

Install the package with pip and Mercurial or git:

pip install -e hg+

# or ...

pip install -e git://

Add django_bcrypt to your INSTALLED_APPS.

That's it.

Any new passwords set will be hashed with bcrypt. Old passwords will still work fine.


You can set BCRYPT_ROUNDS in to change the number of rounds django-bcrypt uses. The default is 12.

You can change the number of rounds without breaking already-hashed passwords. New passwords will use the new number of rounds, and old ones will use the old number.

You can set BCRYPT_MIGRATE in to automatically migrate old sha1 passwords to bcrypt on login (or more specifically every time User.check_password() is called). The hash is also recomputed when BCRYPT_ROUNDS changes.


This is pretty much a packaged-up version of this blog post for easier use.

It also depends on the py-bcrypt library.