keystone.common.password_hashing module¶
-
keystone.common.password_hashing.
check_password
(password, hashed)[source]¶ Check that a plaintext password matches hashed.
hashpw returns the salt value concatenated with the actual hash value. It extracts the actual salt if this value is then passed as the salt.
-
keystone.common.password_hashing.
hash_user_password
(user)[source]¶ Hash a user dict’s password without modifying the passed-in dict.
-
keystone.common.password_hashing.
verify_length_and_trunc_password
(password)[source]¶ Verify and truncate the provided password to the max_password_length.
We also need to check that the configured password hashing algorithm does not silently truncate the password. For example, passlib.hash.bcrypt does this: https://passlib.readthedocs.io/en/stable/lib/passlib.hash.bcrypt.html#security-issues