1 files changed, 45 insertions, 40 deletions

diff --git a/docs/password_hash_api.rst b/docs/password_hash_api.rst
index 19a2b8d..d2ec5d5 100644
--- a/docs/password_hash_api.rst
+++ b/docs/password_hash_api.rst
@@ -150,9 +150,9 @@ and hash comparison.
     Digest password using format-specific algorithm,
     returning resulting hash string.
 
-    For most hashes supported by Passlib, this string will include
-    an algorithm identifier, a copy of the salt (if applicable),
-    and any other configuration information required to verify the password later.
+    For most hashes supported by Passlib, the returned string will contain:
+    an algorithm identifier, a cost parameter, the salt string,
+    and finally the password digest itself.
 
     :type secret: unicode or bytes
     :arg secret: string containing the password to encode.
@@ -166,28 +166,27 @@ and hash comparison.
         Examples of common keywords include ``rounds`` and ``salt_size``.
 
     :returns:
-        Resulting hash of password, using an algorithm-specific format.
-
+        Resulting password hash, encoded in an algorithm-specific format.
         This will always be an instance of :class:`!str`
         (i.e. :class:`unicode` under Python 3, ``ascii``-encoded :class:`bytes` under Python 2).
 
     :raises ValueError:
 
-        * If a keyword's value is invalid (e.g. if a ``salt`` string
+        * If a ``kwd``'s value is invalid (e.g. if a ``salt`` string
           is too small, or a ``rounds`` value is out of range).
 
-        * If the ``secret`` contains characters forbidden by the handler
+        * If ``secret`` contains characters forbidden by the hash algorithm
           (e.g. :class:`!des_crypt` forbids NULL characters).
 
     :raises TypeError:
 
-        * if ``secret`` is not unicode or bytes.
-        * if a keyword argument had an incorrect type.
-        * if a required keyword was not provided.
+        * if ``secret`` is not :class:`!unicode` or :class:`bytes`.
+        * if a ``kwd`` argument has an incorrect type.
+        * if an algorithm-specific required ``kwd`` is not provided.
 
-    *(Note that the name of this method is a misnomer, password hashes
-    are typically based on irreversible cryptographic operations,
-    see* :issue:`21` *).*
+    *(Note that the name of this method is a misnomer: nearly all
+    password hashes use an irreversible cryptographic digest,
+    rather than a reversible cipher. see* :issue:`21` *).*
 
     .. versionchanged:: 1.6
         Hashes now raise :exc:`TypeError` if a required keyword is missing,
@@ -237,23 +236,23 @@ and hash comparison.
         ``True`` if the secret matches, otherwise ``False``.
 
     :raises TypeError:
-        * if either *secret* or *hash* is not a unicode or bytes instance.
-        * if the hash requires additional keywords which are not provided,
-          or have the wrong type.
+        * if either ``secret`` or ``hash`` is not a unicode or bytes instance.
+        * if the hash requires additional ``kwds`` which are not provided,
+        * if a ``kwd`` argument has the wrong type.
 
     :raises ValueError:
-        * if *hash* does not match this algorithm's format.
-        * if the secret contains forbidden characters (see
+        * if ``hash`` does not match this algorithm's format.
+        * if the ``secret`` contains forbidden characters (see
           :meth:`~PasswordHash.encrypt`).
         * if a configuration/salt string generated by :meth:`~PasswordHash.genconfig`
-          is passed in as the value for *hash* (these strings look
+          is passed in as the value for ``hash`` (these strings look
           similar to a full hash, but typically lack the digest portion
           needed to verify a password).
 
     .. versionchanged:: 1.6
-        This function now raises :exc:`ValueError` if a ``None`` or config string is provided
-        instead of a proper hash; previous releases were inconsistent
-        in their handling of these cases.
+        This function now raises :exc:`ValueError` if ``None`` or a config string is provided
+        instead of a properly-formed hash; previous releases were inconsistent
+        in their handling of these two border cases.
 
 .. _hash-unicode-behavior:
 
@@ -398,14 +397,16 @@ There is currently one additional support method, :meth:`~PasswordHash.identify`
 
     .. note::
 
-        Hashes which lack a reliable method of identification may incorrectly
-        identify each-other's hashes (e.g. both :class:`~passlib.hash.lmhash`
-        and :class:`~passlib.hash.nthash` hash consist 32 hexidecimal characters).
+        A small number of the hashes supported by Passlib lack a reliable
+        method of identification (e.g. :class:`~passlib.hash.lmhash`
+        and :class:`~passlib.hash.nthash` both consist of 32 hexidecimal characters,
+        with no distinguishing features). For such hashes, this method
+        may return false positives.
 
     .. seealso::
 
         If you are considering using this method to select from multiple
-        algorithms in order to verify a password, you may be better served
+        algorithms (e.g. in order to verify a password), you will be better served
         by the :ref:`CryptContext <context-overview>` class.
 
 ..
@@ -518,17 +519,19 @@ the hashes in passlib:
     .. _relaxed-keyword:
 
     ``relaxed``
-        By default, passing :meth:`~PasswordHash.encrypt` an invalid
-        value will result in a :exc:`ValueError`. However, if ``relaxed=True``,
-        Passlib will attempt to correct the error, and if successful,
+        By default, passing an invalid value to :meth:`~PasswordHash.encrypt`
+        will result in a :exc:`ValueError`. However, if ``relaxed=True``
+        then Passlib will attempt to correct the error and (if successful)
         issue a :exc:`~passlib.exc.PasslibHashWarning` instead.
         This warning may then be filtered if desired.
-        Correctable errors include (but aren not limited to): ``rounds``
+        Correctable errors include (but are not limited to): ``rounds``
         and ``salt_size`` values that are too low or too high, ``salt``
-        strings that are too large, etc.
+        strings that are too large.
 
         This option is supported by most of the hashes in Passlib.
 
+        .. versionadded:: 1.6
+
 .. attribute:: PasswordHash.context_kwds
 
     Tuple listing the keywords supported by :meth:`~PasswordHash.encrypt`,
@@ -585,7 +588,7 @@ and the following attributes should be defined:
 .. attribute:: PasswordHash.min_salt_size
 
     The minimum number of bytes/characters required for the salt.
-    Must be an integer between 0 or :attr:`~PasswordHash.max_salt_size`.
+    Must be an integer between 0 and :attr:`~PasswordHash.max_salt_size`.
 
 .. attribute:: PasswordHash.default_salt_size
 
@@ -619,8 +622,8 @@ and the following attributes should be defined:
 
 Rounds Information
 ------------------
-For schemes which support a variable number of iterations to adjust their time-cost,
-``"rounds"`` should be listed in :attr:`~PasswordHash.setting_kwds`,
+For schemes which support a variable time-cost parameter,
+``"rounds"`` should be listed in their :attr:`~PasswordHash.setting_kwds`,
 and the following attributes should be defined:
 
 .. attribute:: PasswordHash.max_rounds
@@ -717,23 +720,25 @@ and the following attributes should be defined:
 
 Choosing the right rounds value
 ===============================
-Passlib's default rounds settings attempt to be secure enough for
+For hash algorithms which support a variable time-cost,
+Passlib's default ``rounds`` choices attempt to be secure enough for
 the average [#avgsys]_ system. But the "right" value for a given hash
 is dependant on the server, it's cpu, it's expected load, and it's users.
 Since larger values mean increased work for an attacker,
-**the right** ``rounds`` **value for a given server should be the largest
-possible value that doesn't cause intolerable delay for your users**.
+*the right* ``rounds`` *value for a given hash & server should be the largest
+possible value that doesn't cause intolerable delay for your users*.
+
 For most public facing services, you can generally have signin
 take upwards of 250ms - 400ms before users start getting annoyed.
 For superuser accounts, it should take as much time as the admin can stand
 (usually ~4x more delay than a regular account).
 
-Passlib's ``default_rounds`` values are retuned every major release (at a minimum)
+Passlib's ``default_rounds`` values are retuned periodically
 by taking a rough estimate of what an "average" system is capable of,
-and setting all the ``default_rounds`` values to take ~300ms on such a system.
+and then setting all :samp:`{hash}.default_rounds` values to take ~300ms on such a system.
 However, some older algorithms (e.g. :class:`~passlib.hash.bsdi_crypt`) are weak enough that
 a tradeoff must be made, choosing "secure but intolerably slow" over "fast but unacceptably insecure".
-For this reason, it is strongly recommended to not use a value lower than Passlib's default.
+For this reason, it is strongly recommended to not use a value much lower than Passlib's default.
 
 .. [#avgsys] For Passlib 1.6, all hashes were retuned to take ~250ms on a
    system with a 3 ghz 64 bit CPU.