[inglor]

Major props to Anthony https://github.com/ircmaxell for adding this as a language supported feature to PHP as well for his work on techniques for preventing injection.

I work with C#, Java, Python Go and JS on backends a lot and no other language I worked with had such a simple but secure API.

[avinassh]

Not a std lib in Python, but Django has nice API as well for saving the password [0].

    from django.contrib.auth.models import User
    u = User.objects.get(username='john')
    u.set_password('new password')
    u.save()

And here is the code which does all the magic - [1]. You can also generate nice passwords [2], use many available different hashers [3] Or write your own [4]

[0] - https://docs.djangoproject.com/en/dev/topics/auth/default/#c...

[1] - https://github.com/django/django/blob/stable/1.10.x/django/c... and https://github.com/django/django/blob/stable/1.10.x/django/c...

[2] - https://docs.djangoproject.com/en/dev/topics/auth/customizin...

[3] - https://docs.djangoproject.com/en/dev/topics/auth/passwords/...

[4] - https://docs.djangoproject.com/en/dev/topics/auth/passwords/...

[EE84M3i]

One really nice feature that Django has that is rare and well done is the password upgrading workflow. Not only do they let your app support multiple algorithms at the same time (with one preferred), they also let you chain algorithms during upgrade [0], so if you have a legacy database with all SHA1 passwords, you can upgrade all of them to PBKDF2. At first these will all be PBKDF2(SHA1(pw)), and they will get migrated to just PBKDF2(pw) as users log in, if you set PBKDF2 to your preferred algo.

Note that of course the password algorithms are typed, so this doesn't cause a problem in the corner case that a user's password is a sha1 hash of something else.

[0] - https://docs.djangoproject.com/en/dev/topics/auth/passwords/...

[mabcat]

Now how did I not know about `make_random_password`? Solid tip, thanks!

[chucksmash]

I can't speak for all of those languages, but this functionality is often provided at the web framework level in Python and it fits quite nicely there. Since your web framework typically also knows where you are storing your passwords, you can do nice things like increase the number of bcrypt rounds in a settings file and have users transparently migrated as they login which I'd assume doesn't really work at the language level.

Still, a pragmatic answer and, given PHP started life as a web framework, fitting :).

[slrz]

Go seems pretty nice:

  func GenerateFromPassword(password []byte, cost int) ([]byte, error)
  func CompareHashAndPassword(hashedPassword, password []byte) error

[from golang.org/x/crypto/bcrypt]