unix_fallback: disabled wildcard support unless explicitly enabled

for security purposes, so as not to surprise new users.

1 files changed, 20 insertions, 4 deletions

diff --git a/docs/lib/passlib.hash.unix_fallback.rst b/docs/lib/passlib.hash.unix_fallback.rst
index 982e55f..4870d82 100644
--- a/docs/lib/passlib.hash.unix_fallback.rst
+++ b/docs/lib/passlib.hash.unix_fallback.rst
@@ -21,16 +21,32 @@ It can be used directly as follows::
     >>> uf.encrypt("password")
     '!'
 
-    >>> uf.identify('!') #check if hash is recognized (all hashes are recognized)
+    >>> #check if hash is recognized (all strings are recognized)
+    >>> uf.identify('!')
+    True
+    >>> uf.identify('*')
     True
     >>> uf.identify('')
     True
 
-    >>> uf.verify("password", "") #verify against empty string - all password allowed
-    True
-    >>> uf.verify("password", "!") #verify against non-empty string - no passwords allowed
+    >>> #verify against non-empty string - no passwords allowed
+    >>> uf.verify("password", "!")
+    False
+
+    >>> #verify against empty string:
+    >>> #   * by default, no passwords allowed
+    >>> #   * all passwords allowed IF enable_wildcard=True
+    >>> uf.verify("password", "")
     False
+    >>> uf.verify("password", "", enable_wildcard=True)
+    True
 
 Interface
 =========
 .. autoclass:: unix_fallback
+
+Deviations
+==========
+According to the Linux ``shadow`` man page, an empty string is treated
+as a wildcard by Linux, allowing all passwords. For security purposes,
+this behavior is not enabled unless specifically requested by the application.