pyca/bcrypt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
109 Commits 8 Branches 28 Tags 2.7 MiB
Python 71.4%
Rust 28.6%
4301291ce6
Go to file
Paul Kehrer 4301291ce6 bump version to 3.0.0 (#72)
2016-06-28 10:42:37 -05:00
.travis add OS X to travis configs (#71) 2016-06-22 21:32:40 -04:00
src bump version to 3.0.0 (#72) 2016-06-28 10:42:37 -05:00
tests Add bcrypt pbkdf support (#70) 2016-06-27 15:07:53 -05:00
.coveragerc Enable coverage testing and require 100% coverage 2014-12-05 21:24:16 -05:00
.gitignore update gitignores 2015-03-04 00:14:11 -06:00
.travis.yml add OS X to travis configs (#71) 2016-06-22 21:32:40 -04:00
LICENSE Initial import 2013-05-10 22:06:18 -04:00
MANIFEST.in Convert bcrypt to use OpenBSD code (#68) 2016-06-27 11:53:42 -05:00
README.rst Add bcrypt pbkdf support (#70) 2016-06-27 15:07:53 -05:00
requirements.txt Add tests to ensure behavior 2013-05-10 23:44:58 -04:00
setup.py raise a decent error if pypy <2.6 + update README 2016-02-13 21:19:33 -06:00
tox.ini Merge branch 'master' into alex-patch-1 2015-10-18 09:54:42 -04:00

README.rst

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

bcrypt
======

.. image:: https://img.shields.io/pypi/v/bcrypt.svg
    :target: https://pypi.python.org/pypi/bcrypt/
    :alt: Latest Version

.. image:: https://travis-ci.org/pyca/bcrypt.svg?branch=master
    :target: https://travis-ci.org/pyca/bcrypt

Modern password hashing for your software and your servers


Installation
============

To install bcrypt, simply:

.. code:: bash

    $ pip install bcrypt

Note that bcrypt should build very easily on Linux provided you have a C compiler, headers for Python (if youre not using pypy), and headers for the libffi libraries available on your system.

For Debian and Ubuntu, the following command will ensure that the required dependencies are installed:

.. code:: bash

    $ sudo apt-get install build-essential libffi-dev python-dev

For Fedora and RHEL-derivatives, the following command will ensure that the required dependencies are installed:

.. code:: bash

    $ sudo yum install gcc libffi-devel python-devel

Changelog
=========

3.0.0
-----
* Switched the C backend to code obtained from the OpenBSD project rather than
  openwall.
* Added support for `bcrypt_pbkdf` via the `kdf` function.

2.0.0
-----
* Added support for an adjustible prefix when calling `gensalt`.
* Switched to CFFI 1.0+

Usage
-----

Hashing
~~~~~~~

Hashing and then later checking that a password matches the previous hashed
password is very simple:

.. code:: pycon

    >>> import bcrypt
    >>> password = b"super secret password"
    >>> # Hash a password for the first time, with a randomly-generated salt
    >>> hashed = bcrypt.hashpw(password, bcrypt.gensalt())
    >>> # Check that a unhashed password matches one that has previously been
    >>> #   hashed
    >>> if bcrypt.hashpw(password, hashed) == hashed:
    ...     print("It Matches!")
    ... else:
    ...     print("It Does not Match :(")

KDF
~~~

As of 3.0.0 `bcrypt` now offers a `kdf` function which does `bcrypt_pbkdf`.
This KDF is used in OpenSSH's newer encrypted private key format.

.. code:: pycon

    >>> import bcrypt
    >>> key = bcrypt.kdf(
    ...     password=b'password',
    ...     salt=b'salt',
    ...     desired_key_bytes=32,
    ...     rounds=100)


Adjustable Work Factor
~~~~~~~~~~~~~~~~~~~~~~
One of bcrypt's features is an adjustable logarithmic work factor. To adjust
the work factor merely pass the desired number of rounds to
``bcrypt.gensalt(rounds=12)`` which defaults to 12):

.. code:: pycon

    >>> import bcrypt
    >>> password = b"super secret password"
    >>> # Hash a password for the first time, with a certain number of rounds
    >>> hashed = bcrypt.hashpw(password, bcrypt.gensalt(14))
    >>> # Check that a unhashed password matches one that has previously been
    >>> #   hashed
    >>> if bcrypt.hashpw(password, hashed) == hashed:
    ...     print("It Matches!")
    ... else:
    ...     print("It Does not Match :(")


Adjustable Prefix
~~~~~~~~~~~~~~~~~

Another one of bcrypt's features is an adjustable prefix to let you define what
libraries you'll remain compatible with. To adjust this, pass either ``2a`` or
``2b`` (the default) to ``bcrypt.gensalt(prefix=b"2b")`` as a bytes object.

As of 3.0.0 the `$2y$` prefix is still supported in `hashpw` but deprecated.

Maxmimum Password Length
~~~~~~~~~~~~~~~~~~~~~~~~

The bcrypt algorithm only handles passwords up to 72 characters, any characters
beyond that are ignored. To work around this, a common approach is to hash a
password with a cryptographic hash (such as ``sha256``) and then base64
encode it to prevent NULL byte problems before hashing the result with
``bcrypt``:

.. code:: pycon

    >>> password = b"an incredibly long password" * 10
    >>> hashed = bcrypt.hashpw(
    ...     base64.b64encode(hashlib.sha256(password).digest()),
    ...     bcrypt.gensalt()
    ... )

Compatibility
-------------

This library should be compatible with py-bcrypt and it will run on Python
2.6+, 3.3+, and PyPy 2.6+.

C Code
------

This library uses code from OpenBSD.

Security
--------

``bcrypt`` follows the `same security policy as cryptography`_, if you
identify a vulnerability, we ask you to contact us privately.

.. _`same security policy as cryptography`: https://cryptography.io/en/latest/security/