Python 3 password hashing library
Wachtwoord is a ridiculously simple Python 3 specific password hashing library. It was written as none of the existing password hashing libraries, most notably fshp, passlib, cryha and Bcryptor supported Python 3.
Supported Hashing Schemes
Currently only one specific hashing scheme is supported: PBKDF2.
IMPORTANT Versions up to and including 0.12 didn’t implement PBKDF2 correctly. This version implements PBKDF2 directly from the specification as detailed in RFC2898. The implementation is tested against publicized test vectors (RFC6070)
As Python 3 is very strict about the distinction between unicode strings and byte strings, Wachtwoord was designed to provide a uniform interface by requiring all input to be unicode strings and generating unicode strings as output exclusively.
Wachtwoord supports all the hash functions from the hashlib module. The length of the salt (default: 32) and the number of iterations (default: 10000) are configurable.
Two Modes Of Operation
Wachtwoord has two modes of operation. One where some minor initialization (that can fail) is done separately from the hashing of a password and one where both are done in one go. The former is more convenient when multiple passwords need to be hashed one after another. The other is more convenient when hashing is incidental.
Future hashing scheme extensions to Wachtwoord might make the initialization part more expensive. For the PBKDF2 scheme the difference is very small.
Separate initialization and hashing
>>> from wachtwoord.pbkdf2 import Engine >>> engine = Engine() >>> hash_encoded_password = engine.hash('secret_123') >>> print(hash_encoded_password) pbkdf2$sha512$10000$2qf1oL9GU0gq+Zf2+vWmuliL0WizwvyFUMWV3jG3o/M=$gzSkk0/WjTHACyaeDBe3czNdI+3iukVUm3f+vzNop2b/LwLQWf0r8WKv1TfzWaqYOnPH8vC3tDTBxdGDzEDYRw== >>> >>> is_correct_password = engine.verify('secret_123', hash_encoded_password) >>> print(is_correct_password) True >>>
The Engine object allows certain parameters to be set that influence all the hashes that are subsequently generated. For instance, say we want to use the sha256 hash function instead of the default sha512 hash function:
>>> from wachtwoord.pbkdf2 import Engine >>> engine = Engine(digestmod='sha256') >>>
Similarly if we want to change the salt size and number of iterations we would call Engine as follows:
>>> from wachtwoord.pbkdf2 import Engine >>> engine = Engine(digestmod='sha256', iterations=20000, salt_size=64) >>>
Initialization and hashing in one go
>>> from wachtwoord.pbkdf2 import hash_password, verify_password >>> hash_encoded_password = hash_password('secret_123') >>> print(hash_encoded_password) pbkdf2$sha512$10000$f6ULrQBJspk6JiwHiEDL8fpFLCf90mOAxAM1LCY4dO0=$xzCLvTdp7eQUuY5pfgFl33dx7/uGIMaeZ5Bm5hmLTMx43zi/OCiNgORRmkb5KfkjxRDkD7VNc/45DbHX1zDhcA== >>> >>> is_correct_password = verify_password('secret_123', hash_encoded_password) >>> print(is_correct_password) True >>>
The fact that the initialization and hashing happen in one go does not prevent us from changing the default values. We could have called hash_password as follows:
>>> from wachtwoord.pbkdf2 import hash_password >>> hash_encoded_password = hash_password('secret_123', digestmod='sha256', iterations=20000, salt_size=64)
Origin of the name Wachtwoord
Wachtwoord is Dutch for password.