{ "info": { "author": "Kelvin Wong", "author_email": "code@kelvinwong.ca", "bugtrack_url": null, "classifiers": [ "Development Status :: 3 - Alpha", "Framework :: Django", "Intended Audience :: Developers", "License :: OSI Approved :: BSD License", "Programming Language :: Python :: 2.6", "Programming Language :: Python :: 2.7", "Programming Language :: Python :: 3.2", "Programming Language :: Python :: 3.3", "Topic :: Security :: Cryptography", "Topic :: Software Development :: Libraries" ], "description": "Django-Scrypt\n*************\n\n*Django-Scrypt* is a *Scrypt*-enabled password hasher for *Django* ver. 1.4/1.5.\n\n.. warning::\n\n The encoded hash format has changed in version 0.2.0. This change is\n backwards incompatible. Please read the notice in the Caveats_ section.\n\n*Scrypt* is a sequential memory-hard key derivation function. This software allows *Django* to access low-level bindings of the *Scrypt* key derivation function via *Py-Scrypt*.\n\nInstallation\n============\n\n.. warning::\n\n This is alpha software under active development and as such it is not suitable for production use. It was tested only\n on **Python 2.6/2.7 on a 32-bit Mac and 64-bit CentOS 6**.\n It probably will not run on Python\n 2.5 since *Py-Scrypt* doesn't run on interpreters earlier than \n Python 2.6.\n\nInstalling *Django-Scrypt* into your system-wide Python's ``site-packages`` directory is not recommended. Instead, use `virtualenv `_ and `virtualenvwrapper `_ to create isolated virtual Python environments and then install this software into the isolated *virtualenv*'s ``site-packages`` directory.\n\n.. note::\n\n You should install `Django 1.4 `_ and `py-scrypt `_ prior to installing\n *Django-Scrypt*\n\nUsing source tarballs\n---------------------\n\n1. Download the *Django-Scrypt* source tarball from Pypi (`Python\n Package Index `_)\n\n http://pypi.python.org/pypi/django-scrypt/\n\n2. Decompress it and make it your working directory::\n\n $ tar zxvf django-scrypt-0.2.3.tar.gz\n $ cd django-scrypt-0.2.3\n\n3. Install it into your ``site-packages`` directory (if you install to the\n system's ``site-packages`` you will probably need to be root or you will\n probably need to use ``sudo`` to copy into protected directories)::\n\n $ python setup.py install\n\n4. Test your installation::\n\n $ python setup.py test\n\nUsing Pip and Pypi\n------------------\n\nIf you are installing to the system-wide ``site-packages`` then you\nwill probably need to be root or you will probably need to use ``sudo``.\n\n1. Use the ``pip`` command to install from Pypi::\n\n $ pip install django-scrypt\n\nUsing a Clone from BitBucket\n----------------------------\n\nSince this is nascent software, you may want to get the most recent\ndevelopment version.\n\n1. Use `Mercurial `_ to clone the\n repository::\n\n $ hg clone https://bitbucket.org/kelvinwong_ca/django-scrypt\n $ cd django-scrypt\n\n2. Install it into your ``site-packages`` (if you install it in your system's\n ``site-packages`` you will probably need to be root or you will probably\n need to use ``sudo``)::\n\n $ python setup.py install\n\n3. Test your installation (seriously, *please* do this)::\n\n $ python setup.py test\n\nKeep in mind that the development tip will always be the least stable and the\nleast tested version of the software. Please excuse the mess.\n\nUsage\n=====\n\nBasic Usage\n-----------\n\n.. warning::\n\n This software depends on *Py-Scrypt* version 0.5.5 to reveal\n the *Scrypt* hashing function. Unfortunately, it contains a bug\n that can result in incorrect hashing when run on 64-bit Linux systems. View\n the *Py-Scrypt* issue tracker for the latest information on this issue. [#]_\n\n.. [#] See *Py-Scrypt* `Issue 6 `_\n\nTo use *Scrypt* as your default password storage algorithm in *Django 1.4/1.5*,\ninstall it and make the following changes. In your *Django 1.4/1.5* application's\n``settings.py`` file, modify the ``PASSWORD_HASHERS`` tuple (or add it if it\nis missing) to include ``ScryptPasswordHasher`` as the first hasher in the\ntuple. It needs to be at the very top.\n\nFor example::\n\n PASSWORD_HASHERS = (\n 'django_scrypt.hashers.ScryptPasswordHasher',\n 'django.contrib.auth.hashers.PBKDF2PasswordHasher',\n 'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',\n 'django.contrib.auth.hashers.SHA1PasswordHasher',\n 'django.contrib.auth.hashers.MD5PasswordHasher',\n 'django.contrib.auth.hashers.CryptPasswordHasher',\n )\n\nYou have now changed your app to use *Scrypt* as the default storage\nalgorithm. As users login to your system they will automatically upgrade their hashed passwords to *Scrypt* hashes.\n\n.. note::\n\n You need to keep the other hasher entries in this list or else *Django*\n won't be able to upgrade the passwords!\n\nAdvanced Usage\n--------------\n\nIf you use this software in a resource constrained environment or if you want a higher degree of protection, you can create custom ``ScryptPasswordHashers`` by subclassing the provided ``ScryptPasswordHasher``. Subclassing will allow you to tune the *Scrypt* parameters to meet your needs.\n\nThe first thing to do is create a new custom hasher. Let's assume that you create a new file named ``my_hashers.py`` and you put it into your application root (``my_app``). In that file you can subclass the default hasher::\n\n from django_scrypt.hashers import ScryptPasswordHasher\n\n class BigMemNScryptHasher(ScryptPasswordHasher):\n \"\"\"This hasher is tuned to use lots of memory\n (128 * 2 ** 15 * 8) == 33554432 or ~32mb\n \"\"\"\n algorithm = \"bigN\"\n N = 15\n\nYou can change any (or all) of the class variables ``N``, ``r``, or ``p``. The ``algorithm`` class variable **must** also be changed to a short unique string since it is used to identify and upgrade the hashing scheme in the stored password hash.\n\nTo use ``BigMemNScryptHasher`` as your default password storage algorithm make the following changes. In your application's ``settings.py`` file, modify the ``PASSWORD_HASHERS`` tuple (or add it if it\nis missing) to include ``BigMemNScryptHasher`` as the first hasher in the\ntuple. It needs to be at the very top::\n\n PASSWORD_HASHERS = (\n 'my_app.my_hashers.BigMemNScryptHasher',\n 'django.contrib.auth.hashers.PBKDF2PasswordHasher',\n 'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',\n 'django.contrib.auth.hashers.SHA1PasswordHasher',\n 'django.contrib.auth.hashers.MD5PasswordHasher',\n 'django.contrib.auth.hashers.CryptPasswordHasher',\n )\n\nIf you want to change the parameters again in the future, simply repeat the process with another subclass and another unique ``algorithm`` class variable. Add it to the top of the tuple and your users will have their password hashes migrated to the new scheme as they log in.\n\nScrypt Parameters\n-----------------\n\n*Scrypt* takes three tuning parameters: ``N``, ``r`` and ``p``.\nThey affect memory usage and running time. Memory usage is approximately\n``128 * r * N`` bytes. [#]_ These are the default values::\n\n Nexp = lb(N) = 14, r = 8 and p = 1\n where lb is logarithm base 2\n\n*Django-Scrypt* stores ``Nexp`` in the encoded hash, but not ``N``. The positive integer ``Nexp`` is the exponent used to generate ``N`` which is calculated as needed (``N = 2 ** Nexp``). Doing this saves space in the database row. These default values lead to *Scrypt* using ``128 * 8 * 2 ** 14 = 16M`` bytes of memory.\n\nThe values of ``N``, ``r`` and ``p`` affect running time proportionately; however, ``p`` can be used to independently tune the running time since it has a smaller influence on memory usage.\n\nThe final parameter ``buflen`` has been proposed for *Py-Scrypt* but is not implemented. The value will be used to change the size of the returned hash. Currently, *Py-Scrypt's* ``hash`` function returns a message digest of length 64-bytes or 512-bits.\n\n.. [#] Adapted from Falko Peters' `Crypto.Scrypt package for Haskell `_\n\n.. _Caveats:\n\nCaveats\n=======\n\nHash Format Changes As 'N' Removed\n----------------------------------\n\nIn an attempt to shorten the length of the encoded hash, I removed the\n``N``-value and replaced it with an ``N``-exponent value named ``Nexp``.\nThe reason for this is that ``N`` must be a power of \ntwo {2, 4, 8, ... 16384, ...etc...} and those digits take up room in a \n128 character hash storage space. It makes more sense to me to store the exponent and just make the actual integer on the fly.\n\n ``N == 16384 == 2 ** 14 therefore Nexp == 14``\n\nThe old encoded hash format that got stored in *Django's* database was\n\n ``scrypt$salt$16384$8$1$64$Base64Hash==``\n\nThe new and shorter encoded hash format is\n\n ``scrypt$salt$14$8$1$64$Base64Hash==``\n\nThe good news is that \"14\" is three characters shorter than \"16384\". The bad news\nis that this introduces a backwards incompatible change as of version 0.2.0.\n\nIf you see your application generating *HTTP 500 Server Errors* with an *Exception* raised with\n*error: 'hash parameters are wrong (r*p should be < 2**30, and N should\nbe a power of two > 1)'* then you should suspect that an old hash is telling\n*Scrypt* to use ``N = 2 ** 16384`` which is way, way, way too large. The\nsolution is to replace the 16384 in the old hashes with 14. You might have to alter your database manually or write some custom code to fix this change.\n\nDjango Password Field Character Length Limits\n---------------------------------------------\n\nBy default, *Django* limits password field lengths to 128 characters. Using\nthe default settings in *Django-Scrypt* with *Django's* salting\nimplementation should yield encoded hashes less than 128 characters (approx 119 characters); however, if you override the ``ScryptPasswordHasher``\nclass variables you might end up overflowing the default password field.\n\nThe solution is to increase the size of the password field using SQL. You\nshould consult your database documentation for the correct commands necessary to alter your database.\n\nBugs! Help!!\n============\n\nIf you find any bugs in this software please report them via the BitBucket\nissue tracker [#]_ or send an email to code@kelvinwong.ca. Any serious\nsecurity bugs should be reported via email only.\n\n.. [#] Django-Scrypt issue tracker https://bitbucket.org/kelvinwong_ca/django-scrypt/issues\n\nThank-you\n=========\n\nThank-you for taking the time to evaluate this software. I appreciate\nreceiving feedback on your experiences using it and I welcome code\ncontributions and development ideas.\n\nhttp://www.kelvinwong.ca/coders\n\nThanks to Dr Colin Percival for his original *Scrypt* software [#]_,\nalso to Magnus Hallin for the *Py-Scrypt* Python module [#]_.\n\n.. [#] Visit http://www.tarsnap.com/scrypt.html\n.. [#] Visit http://pypi.python.org/pypi/scrypt/", "description_content_type": null, "docs_url": null, "download_url": "UNKNOWN", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://bitbucket.org/kelvinwong_ca/django-scrypt", "keywords": "Py-Scrypt,Scrypt,Django,Django-Scrypt", "license": "UNKNOWN", "maintainer": null, "maintainer_email": null, "name": "django-scrypt", "package_url": "https://pypi.org/project/django-scrypt/", "platform": "UNKNOWN", "project_url": "https://pypi.org/project/django-scrypt/", "project_urls": { "Download": "UNKNOWN", "Homepage": "https://bitbucket.org/kelvinwong_ca/django-scrypt" }, "release_url": "https://pypi.org/project/django-scrypt/0.2.3/", "requires_dist": null, "requires_python": null, "summary": "A Scrypt-enabled password hasher for Django 1.4/1.5", "version": "0.2.3" }, "last_serial": 790549, "releases": { "0.1.0": [ { "comment_text": "", "digests": { "md5": "82396f53ff904dc11e3309e6737d0ac3", "sha256": "cc8fbc7f2fd892b541d23f8cd1e280a9836e956bafab66669e19a17936f37423" }, "downloads": -1, "filename": "django-scrypt-0.1.0.tar.gz", "has_sig": false, "md5_digest": "82396f53ff904dc11e3309e6737d0ac3", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 4784, "upload_time": "2012-07-05T15:22:05", "url": "https://files.pythonhosted.org/packages/41/3f/5d63c0d307f4131acaebbc8c099c85a66e0ce97ed85f9980a2e3c661a1aa/django-scrypt-0.1.0.tar.gz" } ], "0.2.0": [ { "comment_text": "", "digests": { "md5": "899147a9c55c1e13f716c413c3ace62f", "sha256": "3102f1535f8ce8c57583214b4730cf386ca9da1fd5d4e2bd6136df88ebee4883" }, "downloads": -1, "filename": "django-scrypt-0.2.0.tar.gz", "has_sig": false, "md5_digest": "899147a9c55c1e13f716c413c3ace62f", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 6805, "upload_time": "2012-07-06T13:28:10", "url": "https://files.pythonhosted.org/packages/9a/78/3c0ae8c9f98231cf379b7b008747c6846159758669979667ba40d89a10ad/django-scrypt-0.2.0.tar.gz" } ], "0.2.1": [ { "comment_text": "", "digests": { "md5": "76ce7d67f735e0d9d392c920133b01ed", "sha256": "75dd7afc221ba4de6b0366b8447909e583193d080073ee83b6a8fd6b3aff8884" }, "downloads": -1, "filename": "django-scrypt-0.2.1.tar.gz", "has_sig": false, "md5_digest": "76ce7d67f735e0d9d392c920133b01ed", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 7453, "upload_time": "2012-07-07T14:36:50", "url": "https://files.pythonhosted.org/packages/0c/80/0fc547ae15033ce2ba069eae510ae026c19d3fdc963943d669cfcc8f666e/django-scrypt-0.2.1.tar.gz" } ], "0.2.2": [ { "comment_text": "", "digests": { "md5": "dad0d97d99d31d7d6adac08895b8858a", "sha256": "8bf85e458eb808eb9ee1c10c0eea1bf182923980cbc790f230dfa8e6314b14ba" }, "downloads": -1, "filename": "django-scrypt-0.2.2.tar.gz", "has_sig": false, "md5_digest": "dad0d97d99d31d7d6adac08895b8858a", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 9586, "upload_time": "2012-07-17T08:23:38", "url": "https://files.pythonhosted.org/packages/f5/02/240f05a2e87316c8c421dee94a3e3c17b04597a22c72ce5cfc191e21fe36/django-scrypt-0.2.2.tar.gz" } ], "0.2.3": [ { "comment_text": "", "digests": { "md5": "2c62d25c0cb322665cc06b7c4ff6fc72", "sha256": "e81a35ae85c21544a2f1541317ff78f525632553be916d6d3711f4ee88ee1966" }, "downloads": -1, "filename": "django-scrypt-0.2.3.tar.gz", "has_sig": true, "md5_digest": "2c62d25c0cb322665cc06b7c4ff6fc72", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 12406, "upload_time": "2013-04-10T09:26:38", "url": "https://files.pythonhosted.org/packages/fc/e3/3056ac30ebbfa8a36dfedfbb47bdbb641e00bc2cb15a2dd0049e7b732ee5/django-scrypt-0.2.3.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "2c62d25c0cb322665cc06b7c4ff6fc72", "sha256": "e81a35ae85c21544a2f1541317ff78f525632553be916d6d3711f4ee88ee1966" }, "downloads": -1, "filename": "django-scrypt-0.2.3.tar.gz", "has_sig": true, "md5_digest": "2c62d25c0cb322665cc06b7c4ff6fc72", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 12406, "upload_time": "2013-04-10T09:26:38", "url": "https://files.pythonhosted.org/packages/fc/e3/3056ac30ebbfa8a36dfedfbb47bdbb641e00bc2cb15a2dd0049e7b732ee5/django-scrypt-0.2.3.tar.gz" } ] }