Password Hashing & Security

Django NEVER stores passwords as plain text. It uses PBKDF2 hashing by default with a unique salt per password. Understanding password hashing is essential for building secure applications.

15 min•By Priygop Team•Updated 2026

Password Security

Django uses PBKDF2 with SHA256 by default (260,000 iterations)
Each password has a unique random salt (prevents rainbow tables)
PASSWORD_HASHERS setting controls the hashing algorithm
make_password(raw) â€” Hash a password manually
check_password(raw, hashed) â€” Verify a password
User.set_password(raw) â€” Set and hash a new password
User.check_password(raw) â€” Check against stored hash
NEVER store or log plain-text passwords

Password Hashing

# How Django stores passwords:
# algorithm#iterations#salt#hash
# pbkdf2_sha256#260000#abc123salt#hashedvalue...

# Password validation in settings.py
# AUTH_PASSWORD_VALIDATORS = [
#     {'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator'},
#     {'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
#      'OPTIONS': {'min_length': 8}},
#     {'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator'},
#     {'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator'},
# ]

# Manual password operations
# from django.contrib.auth.hashers import make_password, check_password
# hashed = make_password('mypassword123')
# is_valid = check_password('mypassword123', hashed)  # True

# Changing a user's password
# user = User.objects.get(username='alice')
# user.set_password('newsecurepassword')
# user.save()

# NEVER do this:
# user.password = 'rawpassword'  # Stores plain text!

Tip

Django uses PBKDF2 with SHA256 for password hashing by default. Never store plain text passwords — always use set_password().

Diagram

Loading diagram…

QuerySets are LAZY — no DB hit until evaluated.

Common Mistake

Warning

Storing passwords in plain text: user.password = 'raw'. Always use user.set_password('raw') which hashes properly.

Practice Task

Note

(1) Create a user with set_password(). (2) Check password with check_password(). (3) View the hashed password.

Quick Quiz

Key Takeaways

Django NEVER stores passwords as plain text.
Django uses PBKDF2 with SHA256 by default (260,000 iterations)
Each password has a unique random salt (prevents rainbow tables)
PASSWORD_HASHERS setting controls the hashing algorithm

Topics in This Module

Password Security

Django uses PBKDF2 with SHA256 by default (260,000 iterations)

Each password has a unique random salt (prevents rainbow tables)

PASSWORD_HASHERS setting controls the hashing algorithm

make_password(raw) â€” Hash a password manually

check_password(raw, hashed) â€” Verify a password

User.set_password(raw) â€” Set and hash a new password

User.check_password(raw) â€” Check against stored hash

NEVER store or log plain-text passwords