document / test invalid hash value

Issue #45 resolved
Former user created an issue

(Imported from Google Code)

Thomas.J.Waldmann wrote:

What features would the enhancement add?
1. document a invalid hash value
2. test / make sure that it does not validate

What parts of the project would this effect?
1. documentation
2. tests

Please provide any additional information below.

For some purposes (like password "reset"), one needs a specific hash value that never ever validates against any given password.

Currently, I use "" (empty string), but IIRC it is not really documented that this is a hash that is assured to never validate.

Comments (2)

  1. Eli Collins repo owner
    • assigned issue to True
    • marked as minor
    • changed status to open
    • changed type to enhancement
    • changed Milestone to 1.7

    (Imported from Google Code)

    I like the idea. It might not be possible to have a truly global value in passlib, as the hashes don't all have a regular format. After thinking about it though, "!" should be rejected by everything except the plaintext hash (which doesn't count anyways), and (IIRC) "!" is already used on /etc/shadow on BSD systems to indicate a disabled account.

    I'll certainly add something along those lines into 1.7, though it might be a CryptContext configuration option rather than a global constant, so projects can configure it to handle pre-existing policies.

    That said, if you're using a CryptContext, you can have your application do a startup check that context.identify(DISABLED_HASH_STRING) is None, which will guarantee that none of the hashes in the context will claim that string. Though that also means .verify() will throw a ValueError since the hash can't be identified, but that would be one thing I'll fix as part of this feature.

  2. Eli Collins repo owner

    Implemented as of rev 3e9595c57832, and will be in 1.7 release.

    This revision adds three new methods to CryptContext: .is_enabled(), .disable(), and .enable(). Assuming "unix_disabled" is one of the supported schemes, these three methods should support disabling passwords, optionally restoring back the original hash, and testing the status of a hash.

  3. Log in to comment