Menu
This question is related to: Unique Salt per User using Flask-Security, but I'm more concerned with removing this error message.
The linked question established that flask-security uses per-user salts, which is good since a global salt is pointless.
So my question is what's the point of this configuration variable, and what should I set it to to resolve this error? Does it matter what I set it to?
I don't think I need a global salt since flask-security uses passlib which takes care of salts for me.
(The error message in the title occurs even when copying the example straight from the docs: (peewee example))
829
The global "salt" you specify in SECURITY_PASSWORD_SALT is combined with the unique salt generated for each password that gets created. That combined value is then used to salt the password when it gets hashed. So yes, you do need to set this, it's not a spurious error.
(Others have noted that it's quite confusing to refer to this as a salt, when that strongly implies that the value in this variable is going to be used to salt the password for every user. Fortunately, that's not what happens.)
Here are some options for generating a random string.
154
Usually the SECRET_KEY value is set in a Flask app. A simple solution to the error with Flask-Security is add this line to your Flask application:
if 'SECURITY_PASSWORD_SALT' not in app.config:
app.config['SECURITY_PASSWORD_SALT'] = app.config['SECRET_KEY']
answered Dec 22 '25 19:12
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With