diff options
author | Sean Reifscheider <jafo@tummy.com> | 2011-02-22 10:55:44 (GMT) |
---|---|---|
committer | Sean Reifscheider <jafo@tummy.com> | 2011-02-22 10:55:44 (GMT) |
commit | e2dfefbe85e0471c35062146a218aea2270ea600 (patch) | |
tree | 779b690c9e097108530f75b9bf443f8566bd93d7 /Doc/library/crypt.rst | |
parent | f3042782af65fbf68ca7e343357144c676b3fd54 (diff) | |
download | cpython-e2dfefbe85e0471c35062146a218aea2270ea600.zip cpython-e2dfefbe85e0471c35062146a218aea2270ea600.tar.gz cpython-e2dfefbe85e0471c35062146a218aea2270ea600.tar.bz2 |
Issue #10924: Adding salt and Modular Crypt Format to crypt library.
Diffstat (limited to 'Doc/library/crypt.rst')
-rw-r--r-- | Doc/library/crypt.rst | 106 |
1 files changed, 97 insertions, 9 deletions
diff --git a/Doc/library/crypt.rst b/Doc/library/crypt.rst index 0be571e..a5556cf 100644 --- a/Doc/library/crypt.rst +++ b/Doc/library/crypt.rst @@ -15,9 +15,9 @@ This module implements an interface to the :manpage:`crypt(3)` routine, which is a one-way hash function based upon a modified DES algorithm; see the Unix man -page for further details. Possible uses include allowing Python scripts to -accept typed passwords from the user, or attempting to crack Unix passwords with -a dictionary. +page for further details. Possible uses include storing hashed passwords +so you can check passwords without storing the actual password, or attempting +to crack Unix passwords with a dictionary. .. index:: single: crypt(3) @@ -26,15 +26,67 @@ the :manpage:`crypt(3)` routine in the running system. Therefore, any extensions available on the current implementation will also be available on this module. +Hashing Methods +--------------- -.. function:: crypt(word, salt) +The :mod:`crypt` module defines the list of hashing methods (not all methods +are available on all platforms): + +.. data:: METHOD_SHA512 + + A Modular Crypt Format method with 16 character salt and 86 character + hash. This is the strongest method. + +.. versionadded:: 3.3 + +.. data:: METHOD_SHA256 + + Another Modular Crypt Format method with 16 character salt and 43 + character hash. + +.. versionadded:: 3.3 + +.. data:: METHOD_MD5 + + Another Modular Crypt Format method with 8 character salt and 22 + character hash. + +.. versionadded:: 3.3 + +.. data:: METHOD_CRYPT + + The traditional method with a 2 character salt and 13 characters of + hash. This is the weakest method. + +.. versionadded:: 3.3 + +Module Functions +---------------- + +The :mod:`crypt` module defines the following functions: + +.. function:: crypt(word, salt=None) *word* will usually be a user's password as typed at a prompt or in a graphical - interface. *salt* is usually a random two-character string which will be used - to perturb the DES algorithm in one of 4096 ways. The characters in *salt* must - be in the set ``[./a-zA-Z0-9]``. Returns the hashed password as a string, which - will be composed of characters from the same alphabet as the salt (the first two - characters represent the salt itself). + interface. The optional *salt* is either a string as returned from + :func:`mksalt`, one of the ``crypt.METHOD_*`` values (though not all + may be available on all platforms), or a full encrypted password + including salt, as returned by this function. If *salt* is not + provided, the strongest method will be used (as returned by + :func:`methods`. + + Checking a password is usually done by passing the plain-text password + as *word* and the full results of a previous :func:`crypt` call, + which should be the same as the results of this call. + + *salt* (either a random 2 or 16 character string, possibly prefixed with + ``$digit$`` to indicate the method) which will be used to perturb the + encryption algorithm. The characters in *salt* must be in the set + ``[./a-zA-Z0-9]``, with the exception of Modular Crypt Format which + prefixes a ``$digit$``. + + Returns the hashed password as a string, which will be composed of + characters from the same alphabet as the salt. .. index:: single: crypt(3) @@ -42,6 +94,34 @@ this module. different sizes in the *salt*, it is recommended to use the full crypted password as salt when checking for a password. +.. versionchanged:: 3.3 + Before version 3.3, *salt* must be specified as a string and cannot + accept ``crypt.METHOD_*`` values (which don't exist anyway). + +.. function:: methods() + + Return a list of available password hashing algorithms, as + ``crypt.METHOD_*`` objects. This list is sorted from strongest to + weakest, and is guaranteed to have at least ``crypt.METHOD_CRYPT``. + +.. versionadded:: 3.3 + +.. function:: mksalt(method=None) + + Return a randomly generated salt of the specified method. If no + *method* is given, the strongest method available as returned by + :func:`methods` is used. + + The return value is a string either of 2 characters in length for + ``crypt.METHOD_CRYPT``, or 19 characters starting with ``$digit$`` and + 16 random characters from the set ``[./a-zA-Z0-9]``, suitable for + passing as the *salt* argument to :func:`crypt`. + +.. versionadded:: 3.3 + +Examples +-------- + A simple example illustrating typical use:: import crypt, getpass, pwd @@ -57,3 +137,11 @@ A simple example illustrating typical use:: else: return 1 +To generate a hash of a password using the strongest available method and +check it against the original:: + + import crypt + + hashed = crypt.crypt(plaintext) + if hashed != crypt.crypt(plaintext, hashed): + raise "Hashed version doesn't validate against original" |