

Ask HN: Bcrypt vs Werkzeug - dillon

Bcrypt is a python module that encrypts passwords.
http://www.mindrot.org/projects/py-bcrypt/<p>Werkzueg is a WSGI Utility Library that comes with encrypting.
http://werkzeug.pocoo.org/docs/utils/#module-werkzeug.security<p>I was wondering if anyone knows which one is better/safer/more consistent?
======
vorador
The werkzeug implementation uses sha1 or md5 (which is bad, see
[http://chargen.matasano.com/chargen/2007/9/7/enough-with-
the...](http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-
tables-what-you-need-to-know-about-s.html) for a good explanation). Stick to
bcrypt.

~~~
JoachimSchipper
Yes, indeed. Werkzeug uses un-iterated SHA1 or MD5 [1], even; one could run
through a wordlist distressingly fast.

Do note that bcrypt is a binary module that may not be universally available.

[1] Actually HMAC-(MD5/SHA1), what's up with that?

