Passlib

Python password hashing library providing a unified interface to 30+ password hashing algorithms (bcrypt, argon2, scrypt, pbkdf2, sha256_crypt, etc.). Handles hashing, verification, and hash migration. Used in FastAPI and Flask user authentication systems for secure password storage. The standard Python password hashing library despite being in maintenance mode.

Evaluated Mar 06, 2026 (0d ago) v1.7.4+
Homepage ↗ Repo ↗ Developer Tools python password hashing bcrypt argon2 security authentication
⚙ Agent Friendliness
69
/ 100
Can an agent use this?
🔒 Security
94
/ 100
Is it safe for agents?
⚡ Reliability
92
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
--
Documentation
88
Error Messages
85
Auth Simplicity
100
Rate Limits
100

🔒 Security

TLS Enforcement
100
Auth Strength
95
Scope Granularity
90
Dep. Hygiene
85
Secret Handling
95

Security-focused library with constant-time comparison. In maintenance mode but still secure. Passwords never stored in plaintext. Uses industry-standard algorithms.

⚡ Reliability

Uptime/SLA
100
Version Stability
88
Breaking Changes
90
Error Recovery
88
AF Security Reliability

Best When

You need secure password hashing in Python with multiple algorithm support, legacy hash migration, or FastAPI's built-in security examples that reference passlib.

Avoid When

Starting fresh with argon2 only — use argon2-cffi directly without passlib overhead. Passlib is in maintenance mode.

Use Cases

  • Hash and verify user passwords securely in agent API backends with bcrypt or argon2 algorithms
  • Implement password migration from legacy hash algorithms to modern secure hashes in agent user systems
  • Use FastAPI's security utilities that rely on passlib CryptContext for OAuth2 password flow
  • Verify passwords in agent authentication middleware with constant-time comparison
  • Manage password policy and hash algorithm upgrades via CryptContext configuration

Not For

  • New projects seeking active maintenance — passlib is in maintenance mode; consider argon2-cffi directly for new projects
  • General cryptography beyond passwords — use the cryptography library for encryption, signing, etc.
  • Token generation — use secrets module for secure random tokens

Interface

REST API
No
GraphQL
No
gRPC
No
MCP Server
No
SDK
Yes
Webhooks
No

Authentication

Methods: none
OAuth: No Scopes: No

Local library for password hashing — implements auth primitives, not an auth provider.

Pricing

Model: open_source
Free tier: Yes
Requires CC: No

Completely free and open source. In maintenance mode — security patches only.

Agent Metadata

Pagination
none
Idempotent
Partial
Retry Guidance
Not documented

Known Gotchas

  • passlib is in maintenance mode — no new features; consider argon2-cffi for new projects, though passlib still works fine
  • bcrypt requires bcrypt package (pip install passlib[bcrypt]) — passlib itself doesn't include bcrypt C extension
  • argon2 requires argon2-cffi (pip install passlib[argon2]) — similar to bcrypt, extra install required
  • CryptContext.verify_and_update() returns (verified, new_hash) — the new_hash is non-None only when hash algorithm upgrade is needed; agents must persist the updated hash
  • Password hashing is intentionally CPU-intensive — in async agent APIs, run hash operations in executor (asyncio.run_in_executor) to avoid blocking event loop
  • deprecated=auto in CryptContext marks old schemes as deprecated but doesn't automatically rehash — call verify_and_update() not verify() to trigger rehashing

Alternatives

argon2-cffi-api bcrypt-python-api

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Passlib.

$99
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.

5208
Packages Evaluated
26151
Need Evaluation
173
Need Re-evaluation
Community Powered