diff options
author | Eli Collins <elic@assurancetechnologies.com> | 2012-05-17 20:23:24 -0400 |
---|---|---|
committer | Eli Collins <elic@assurancetechnologies.com> | 2012-05-17 20:23:24 -0400 |
commit | 0d39d144d19d759d0654b48d95b18ba712433fad (patch) | |
tree | 3bf0f703bd3e8dcc414cdb0b6a58edb875da5a29 | |
parent | fd8198927c300e2c8f276e9311bc8d85f88a459c (diff) | |
download | passlib-0d39d144d19d759d0654b48d95b18ba712433fad.tar.gz |
minor documentation updates - typo in changes, better listing of ident values for bcrypt
-rw-r--r-- | CHANGES | 6 | ||||
-rw-r--r-- | docs/lib/passlib.hash.bcrypt.rst | 6 | ||||
-rw-r--r-- | passlib/handlers/bcrypt.py | 16 |
3 files changed, 16 insertions, 12 deletions
@@ -14,9 +14,9 @@ Overview Welcome to Passlib 1.6. - The main goals of this release were to clean up the codebase, tighten input + The main goal of this release was to clean up the codebase, tighten input validation, and simplify the publically exposed interfaces. This release also - brings with it a number of other improvements: 10 or so new hash algorithms, + brings a number of other improvements: 10 or so new hash algorithms, additional security precautions for the existing algorithms, a number of speed improvements, and updated documentation. @@ -139,7 +139,7 @@ Existing Hashes :doc:`ldap_salted_{digest} </lib/passlib.hash.ldap_std>` The LDAP salted digests now support salts of any size - from 4-16 bytes, though they still default to 8 (:issue:`30`). + from 4-16 bytes, though they still default to 4 (:issue:`30`). :doc:`md5_crypt </lib/passlib.hash.md5_crypt>`, :doc:`sha256_crypt </lib/passlib.hash.md5_crypt>`, :doc:`sha512_crypt </lib/passlib.hash.md5_crypt>` The builtin implementation of these hashes has been diff --git a/docs/lib/passlib.hash.bcrypt.rst b/docs/lib/passlib.hash.bcrypt.rst index a44a121..1c7fa49 100644 --- a/docs/lib/passlib.hash.bcrypt.rst +++ b/docs/lib/passlib.hash.bcrypt.rst @@ -125,16 +125,16 @@ This implementation of bcrypt differs from others in a few ways: (This behavior will eventually be deprecated and such hashes will throw a :exc:`ValueError` instead). -* the crypt_blowfish bug, and the 2x/2y hashes +* The *crypt_blowfish* 8-bit bug .. _crypt-blowfish-bug: Pre-1.1 versions of the `crypt_blowfish <http://www.openwall.com/crypt/>`_ bcrypt implementation suffered from a serious flaw [#eight]_ in how they handled 8-bit passwords. The manner in which the flaw was fixed resulted - in two new bcrypt hash identifiers: + in *crypt_blowfish* adding support for two new BCrypt hash identifiers: - ``$2x$``, allowing sysadmins to mark ``$2a$`` hashes which potentially were + ``$2x$``, allowing sysadmins to mark any ``$2a$`` hashes which were potentially generated with the buggy algorithm. Passlib 1.6 recognizes, but does not currently support generating or verifying these hashes. diff --git a/passlib/handlers/bcrypt.py b/passlib/handlers/bcrypt.py index 66e4743..3f95d16 100644 --- a/passlib/handlers/bcrypt.py +++ b/passlib/handlers/bcrypt.py @@ -78,10 +78,14 @@ class bcrypt(uh.HasManyIdents, uh.HasRounds, uh.HasSalt, uh.HasManyBackends, uh. :type ident: str :param ident: - selects specific version of BCrypt hash that will be used. - Typically you want to leave this alone, and let it default to ``2a``, - but it can be set to ``2`` to use the older (and less secure) - version of the BCrypt algorithm. + Specifies which version of the BCrypt algorithm will be used when creating a new hash. + Typically this option is not needed, as the default (``"2a"``) is usually the correct choice. + If specified, it must be one of the following: + + * ``"2"`` - the first revision of BCrypt, which suffers from a minor security flaw and is generally not used anymore. + * ``"2a"`` - latest revision of the official BCrypt algorithm, and the current default. + * ``"2y"`` - format specific to the *crypt_blowfish* BCrypt implementation, + identical to ``"2a"`` in all but name. :type relaxed: bool :param relaxed: @@ -94,8 +98,8 @@ class bcrypt(uh.HasManyIdents, uh.HasRounds, uh.HasSalt, uh.HasManyBackends, uh. .. versionadded:: 1.6 .. versionchanged:: 1.6 - This class now supports ``2y`` hashes, and recognizes - (but does not support) the broken ``2x`` hashes. + This class now supports ``"2y"`` hashes, and recognizes + (but does not support) the broken ``"2x"`` hashes. (see the :ref:`crypt_blowfish bug <crypt-blowfish-bug>` for details). """ |