Python 3 introduced key derivation functions, which are especially convenient when storing passwords. Both pbkdf2 and scrypt are provided. While scrypt is more robust against attacks as it's both memory- and CPU-heavy, it only works on systems that provide OpenSSL 1.1+. While pbkdf2 works on any system, in worst cases a Python-provided fallback is used.

So, while from a security point of view scrypt would be preferred, we will rely on pbkdf2 due to its wider availability and the fact that it's been available since Python 3.4 (scrypt is only available on Python 3.6+):

import hashlib, binascii, os def hash_password(password): """Hash a password for storing.""" salt = hashlib.sha256(os.urandom(60)).hexdigest().encode('ascii') ...