Metadata-Version: 1.1
Name: z3c.bcrypt
Version: 1.2
Summary: Password manager utility using bcrypt or pbkdf2 encoding. Useful in combination with zope.password
Home-page: http://pypi.python.org/pypi/z3c.bcrypt
Author: The Health Agency and the Zope Community
Author-email: zope3-dev@zope.org
License: ZPL 2.1
Description: z3c.bcrypt
        ==========
        
        z3c.bcrypt provides `zope.password`_ compatible "password manager" utilities
        that use bcrypt (or alternatively pbkdf2) encoding for storing passwords.
        
        Both encoding schemes are implemented in the cryptacular_ library that is
        a dependency for this pacakge.
        
        .. _`zope.password`: http://pypi.python.org/pypi/zope.password
        .. _cryptacular: http://pypi.python.org/pypi/cryptacular
        
        
        z3c.bcrypt
        ===========
        
            >>> from zope.interface.verify import verifyObject
            >>> from zope.password.interfaces import IPasswordManager
            >>> from z3c.bcrypt import BcryptPasswordManager
            >>> manager = BcryptPasswordManager()
            >>> verifyObject(IPasswordManager, manager)
            True
        
            >>> password = u"right \N{CYRILLIC CAPITAL LETTER A}"
        
            >>> encoded = manager.encodePassword(password)
            >>> encoded
            '$2a$...'
            >>> manager.checkPassword(encoded, password)
            True
            >>> manager.checkPassword(encoded, password + u"wrong")
            False
        
            >>> from z3c.bcrypt import PBKDF2PasswordManager
            >>> manager = PBKDF2PasswordManager()
            >>> verifyObject(IPasswordManager, manager)
            True
        
            >>> encoded = manager.encodePassword(password)
            >>> encoded
            u'$p5k2$...'
            >>> manager.checkPassword(encoded, password)
            True
            >>> manager.checkPassword(encoded, password + u"wrong")
            False
        
            >>> # A previously encoded password, should be decodable even if the
            >>> # current encoding of the same password is different::
            >>> previouslyencoded = (
            ...     '$p5k2$1000$LgAFPIlc9CgrlSaxHyTUMA='
            ...     '=$IuUYplhMkR4qCl8-ONRVjEgJNwE=')
            >>> encoded == previouslyencoded
            False
            >>> manager.checkPassword(previouslyencoded , password)
            True
        
        Excessively long "passwords" will take up a lot of computation time that
        can be used as a DOS attack vector. The password managers in z3c.bcrypt will
        only use the first 4096 characters of the incoming password for checking.
        
        This is inspired by:
        
          https://www.djangoproject.com/weblog/2013/sep/15/security/
        
        This test would take significantly longer if the 4096 length limit would
        not be in place. XXX how to test that reliably?
        
            >>> incomming = '$p5k2$1000$' + 'a' * 1024 * 1024 * 100  # lot of data.
            >>> manager.checkPassword(encoded, incomming)
            False
        
        
        Changelog of z3c.bcrypt
        =======================
        
        1.2 (2013-10-10)
        ----------------
        
        - Only verify the first 4096 characters of a password to prevent
          denial-of-service attacks through repeated submission of large
          passwords, tying up server resources in the expensive computation
          of the corresponding hashes.
        
          See: https://www.djangoproject.com/weblog/2013/sep/15/security/
        
        1.1 (2010-02-22)
        ----------------
        
        - Fixes in the configure.zcml.
        
        1.0 (2010-02-18)
        ----------------
        
        - Initial public release.
        
        
        
Keywords: zope authentication password bcrypy pbkdf2
Platform: UNKNOWN
Classifier: Development Status :: 5 - Production/Stable
Classifier: Environment :: Web Environment
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: Zope Public License
Classifier: Programming Language :: Python
Classifier: Natural Language :: English
Classifier: Operating System :: OS Independent
Classifier: Topic :: Internet :: WWW/HTTP
Classifier: Framework :: Zope3
