HtpasswdFile does not support bcrypt

Issue #55 resolved
Former user created an issue

(Imported from Google Code)

pdewacht wrote:

What steps will reproduce the problem?

Add an htpasswd entry using the bcrypt algorithm:

htpasswd -B htaccess user pass

Such entries look like this:


passlib cannot verify this.

What version of the passlib & python are you using? On what operating

Python 3.2.3, passlib 1.6.2

Please provide any additional information below.

See Apache PR 49288 for more information:

Comments (2)

  1. Eli Collins repo owner
    • changed status to open
    • changed Milestone to 1.6.3

    (Imported from Google Code)

    Nice catch, I wasn't aware they'd finally added support. I'll definitely get that added in.

    I should be able to get support added into the 1.6.3 release going out later this week. Once that's out, you should be able to do HtpasswdFile(default_scheme="bcrypt") to have it generate bcrypt hashes by default (it'll recognize them regardless).

    I'd like to make it the default for security reasons, but that might cause some portability issues, and I don't want to do it in a bugfix release. So that will probably be delayed until the 1.7 release.

    In the meantime, there's a obscurely documented option in HtpasswdFile which allows you to pass in a custom CryptContext instance, with arbitrary hashes and configuration. Doing HtpasswdFile(context=CryptContext(["bcrypt", "apr_md5_crypt", "des_crypt", "ldap_sha1", "plaintext"])) should create a HtpasswdFile instance with bcrypt support that works even under 1.6.2.

  2. Eli Collins repo owner

    HtpasswdFile's default context now recognized bcrypt, sha256_crypt (fixes issue 55); also added default_scheme="portable" to ease transition to passlib 1.7's new default behavior.

    → <<cset 65fde00ea52b>>

  3. Log in to comment