I'm wondering what is the state-of-the-art of transmitting passwords from a web form and storing them in the data store.

A lot of recent posts point to bcrypt, however, there are no pure Python implementations, which is a requirement for App Engine.

Any suggestions?

Best practice? Use the Users API with either Google Accounts or OpenID, so you're not storing or transmitting passwords in the first place.

If you must do it yourself, transmit the login data over SSL, and store the password hashed, salted, and strengthened, using a scheme such as PBKDF2.

You can use PyCrypto which has been ported to google-app-engine.

You should never store the actual passwords, of course. Storing a hash should be sufficient. When the user enters his password, you hash it again and compare it to the stored value.

You should of course only receive passwords over https, which is supported in google-app-engine (albeit only through you appspot domain)

BCrypt has been ported to Python some time ago. I've been using it gracefully since then.