Yes, Flask-Security does use salts for each user using bcrypt (and other schemes like des_crypt, pbkdf2_sha256, pbkdf2_sha512, sha256_crypt, sha512_crypt).
The configuration for "SECURITY_PASSWORD_SALT" is used only for HMAC encryption. If you use bcrypt as a hash algorithm, Flask-Security uses passlib for hashing and generates random salt during hashing. This statement is noted in release 268: https://github.com/mattupstate/flask-security/issues/268
This can be verified in the code, going from encryption to passlib:
flask_security / utils.py (lines 143-151, 39 and 269)
def encrypt_password(password): ... return _pwd_context.encrypt(signed) _pwd_context = LocalProxy(lambda: _security.pwd_context)
flask_security / core.py (269, 244-251 and 18)
pwd_context=_get_pwd_context(app) def _get_pwd_context(app): ... return CryptContext(schemes=schemes, default=pw_hash, deprecated=deprecated) from passlib.context import CryptContext
and finally from: https://pythonhosted.org/passlib/password_hash_api.html#passlib.ifc.PasswordHash.encrypt
note that each call to encrypt () generates a new salt,