werkzeug generate_password_hash, is there any point?

Question

I'm building a python app that uses werkzeug's hashing functions. An example User model:

class User(db.Model):
    __tablename__ = 'users'
    id = db.Column(db.Integer, primary_key=True)
    username = db.Column(db.String(64), unique=True, index=True)
    role_id = db.Column(db.Integer, db.ForeignKey('roles.id'))
    password_hash = db.Column(db.String(128))

    # Custom property getter
    @property
    def password(self):
        raise AttributeError('password is not a readable attribute')

    # Custom property setter
    @password.setter
    def password(self, password):
        self.password_hash = generate_password_hash(password)

    def verify_password(self, password):
        return check_password_hash(self.password_hash, password)

    def __repr__(self):
        return '<User %r>' % self.username

I see that now the password is stored as a hash in the database and any attacker who sees the hash won't know what the password is without decrypting it. However isn't werkzeug's hashing function a fairly obvious choice for a lot of apps? Could the attacker just use the check_password_hash function and decrypt the password?

Answer 1

Essentially password_hash uses a one-way function to create a hash that is not reversible. Additionally it adds information to the hash such as the hash algorithm, salt value, iteration count and of course the hash value, this is what is stored. password_verify takes the password and the additional information in the result of password_hash to again create the hash and compares the hash values.

Additionally and importantly password_hash iterates over the hash function to make the process take longer, a good value is 100ms. Thus the best an attacker can do it try passwords to find one that matches and each attempt takes a substantial amount of time. Of course faster computational systems can reduce the ~100ms but it is still costly.