Use argon2 or scrypt for password hashing. PBKDF2 or bcrypt are also acceptable, but prefer the first two in new systems. Make sure to use appropriate complexity factors.
"shell=True"? Sloppy, mate, sloppy. Get in the habit of never doing that lest you find yourself vulnerable to a shell command injection attack one day.
A good starting point when trying to decide what crypto algorithm to use is https://latacora.micro.blog/2018/04/03/cryptographic-right-a...