PHPass now prefers portable hash over bsdi-crypt

2 files changed, 9 insertions, 3 deletions

diff --git a/docs/lib/passlib.apps.rst b/docs/lib/passlib.apps.rst
index 833ca93..29be43c 100644
--- a/docs/lib/passlib.apps.rst
+++ b/docs/lib/passlib.apps.rst
@@ -110,7 +110,13 @@ It is found in a wide range of PHP applications, including Drupal and Wordpress.
     and implements an custom scheme called the "phpass portable hash" :class:`~passlib.hash.phpass` as a fallback.
 
     BCrypt is used as the default if support is available,
-    otherwise BSDI-Crypt will be used as the default.
+    otherwise the Portable Hash will be used as the default.
+    
+    .. versionchanged:: 1.5
+        Now uses Portable Hash as fallback if BCrypt isn't available.
+        Previously used BSDI-Crypt as fallback
+        (per original PHPass implementation),
+        but it was decided PHPass is in fact more secure.
 
 .. data:: phpbb3_context
 
diff --git a/passlib/apps.py b/passlib/apps.py
index 59643bf..bc72ea4 100644
--- a/passlib/apps.py
+++ b/passlib/apps.py
@@ -85,10 +85,10 @@ postgres_context = LazyCryptContext(["postgres_md5"])
 #phpass & variants
 #=========================================================
 phpass_context = LazyCryptContext(
-    schemes=["bcrypt", "bsdi_crypt", "phpass",],
+    schemes=["bcrypt", "phpass", "bsdi_crypt", ],
 
     #XXX: make this lazy as well? causes bcrypt hash to always get loaded
-    default="bcrypt" if hash.bcrypt.has_backend() else "bsdi_crypt",
+    default="bcrypt" if hash.bcrypt.has_backend() else "phpass",
     )
 
 phpbb3_context = LazyCryptContext(["phpass"], phpass__ident="H")