mbasanta / passlib

Automatically exported from code.google.com/p/passlib
Other
0 stars 0 forks source link

document / test invalid hash value #45

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What features would the enhancement add?
1. document a invalid hash value
2. test / make sure that it does not validate

What parts of the project would this effect?
1. documentation
2. tests

Please provide any additional information below.

For some purposes (like password "reset"), one needs a specific hash value that 
never ever validates against any given password.

Currently, I use "" (empty string), but IIRC it is not really documented that 
this is a hash that is assured to never validate.

Original issue reported on code.google.com by Thomas.J...@gmail.com on 8 Mar 2013 at 10:50

GoogleCodeExporter commented 9 years ago
I like the idea. It might not be possible to have a truly global value in 
passlib, as the hashes don't all have a regular format. After thinking about it 
though, "!" should be rejected by everything except the plaintext hash (which 
doesn't count anyways), and (IIRC) "!" is already used on /etc/shadow on BSD 
systems to indicate a disabled account. 

I'll certainly add something along those lines into 1.7, though it might be a 
CryptContext configuration option rather than a global constant, so projects 
can configure it to handle pre-existing policies.

That said, if you're using a CryptContext, you can have your application do a 
startup check that ``context.identify(DISABLED_HASH_STRING) is None``, which 
will guarantee that none of the hashes in the context will claim that string. 
Though that also means .verify() will throw a ValueError since the hash can't 
be identified, but that would be one thing I'll fix as part of this feature.

Original comment by elic@astllc.org on 20 Mar 2013 at 4:08