diff options
| author | Eli Collins <elic@assurancetechnologies.com> | 2012-01-19 01:40:06 -0500 |
|---|---|---|
| committer | Eli Collins <elic@assurancetechnologies.com> | 2012-01-19 01:40:06 -0500 |
| commit | ca1560f8bde1b0fffee0a58c7952067a91d0b82f (patch) | |
| tree | 519a45e8b46cea7e8473604d34f97422cf28667f /docs | |
| parent | 4c4615329b64287dabd729e3078ab03cb2bb7442 (diff) | |
| download | passlib-ca1560f8bde1b0fffee0a58c7952067a91d0b82f.tar.gz | |
deprecating min_verify_time option; doesn't meaningfully increase security, and adds code complexity
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/lib/passlib.context-options.rst | 19 | ||||
| -rw-r--r-- | docs/lib/passlib.context-usage.rst | 3 |
2 files changed, 10 insertions, 12 deletions
diff --git a/docs/lib/passlib.context-options.rst b/docs/lib/passlib.context-options.rst index 745e7cf..042b64a 100644 --- a/docs/lib/passlib.context-options.rst +++ b/docs/lib/passlib.context-options.rst @@ -47,8 +47,9 @@ of the :class:`!CryptContext` instance itself: For use in INI files, this may also be specified as a single comma-separated string of handler names. - This is primarily used by :meth:`CryptContext.hash_needs_update` and :meth:`CryptPolicy.handler_is_deprecated`. - If the application does not use these methods, this option can be ignored. + This is primarily used by :meth:`CryptContext.hash_needs_update` and + :meth:`CryptPolicy.handler_is_deprecated`. If the application does not use + these methods, this option can be ignored. Example: ``deprecated=["des_crypt"]``. @@ -60,16 +61,18 @@ of the :class:`!CryptContext` instance itself: Example: ``default="sha256_crypt"``. -``min_verify_time`` +.. _min-verify-time: - If specified, all :meth:`CryptContext.verify` calls will take at least this many seconds. - If set to an amount larger than the time used by the strongest hash in the system, - this prevents an attacker from guessing the strength of particular hashes through timing measurements. +``min_verify_time`` - Specified in integer or fractional seconds. + If specified, unsuccessful :meth:`CryptContext.verify` calls will take at + least this many seconds. Specified in integer or fractional seconds. Example: ``min_verify_time=0.1``. + .. deprecated:: 1.6 this option is not very useful, and will be removed + in version 1.8. + .. note:: For symmetry with the format of the hash option keywords (below), @@ -233,7 +236,6 @@ A sample policy file: schemes = md5_crypt, sha512_crypt, bcrypt deprecated = md5_crypt default = sha512_crypt - min_verify_time = 0.1 #set some common options for all schemes all.vary_rounds = 10%% @@ -255,7 +257,6 @@ And the equivalent as a set of python keyword options:: schemes = ["md5_crypt", "sha512_crypt", "bcrypt" ], deprecated = ["md5_crypt"], default = "sha512_crypt", - min_verify_time = 0.1, #set some common options for all schemes all__vary_rounds = "10%", diff --git a/docs/lib/passlib.context-usage.rst b/docs/lib/passlib.context-usage.rst index 3df3520..9832203 100644 --- a/docs/lib/passlib.context-usage.rst +++ b/docs/lib/passlib.context-usage.rst @@ -130,9 +130,6 @@ applications with advanced policy requirements may want to create a hash policy ; (existing md5_crypt hashes will be flagged as needs-updating) deprecated = md5_crypt - ;set verify to always take at least 1/10th of a second - min_verify_time = 0.1 - ;set boundaries for pbkdf2 rounds parameter ; (pbkdf2 hashes outside this range will be flagged as needs-updating) pbkdf2_sha1.min_rounds = 10000 |