z3c.bcrypt 2.0.1

z3c.bcrypt

z3c.bcrypt提供与zope.password兼容的“密码管理器”实用程序 使用bcrypt（或者pbkdf2）编码来存储密码的。

这两种编码方案都在cryptacular库中实现，即 此包的依赖项。

使用z3c.bcrypt

>>> from zope.interface.verify import verifyObject
>>> from zope.password.interfaces import IPasswordManager
>>> from z3c.bcrypt import BcryptPasswordManager
>>> manager = BcryptPasswordManager()
>>> verifyObject(IPasswordManager, manager)
True

>>> password = u"right \N{CYRILLIC CAPITAL LETTER A}"

>>> encoded = manager.encodePassword(password)
>>> encoded
'$2a$...'
>>> manager.checkPassword(encoded, password)
True
>>> manager.checkPassword(encoded, password + u"wrong")
False

>>> from z3c.bcrypt import PBKDF2PasswordManager
>>> manager = PBKDF2PasswordManager()
>>> verifyObject(IPasswordManager, manager)
True

>>> encoded = manager.encodePassword(password)
>>> encoded
u'$p5k2$...'
>>> manager.checkPassword(encoded, password)
True
>>> manager.checkPassword(encoded, password + u"wrong")
False

>>> # A previously encoded password, should be decodable even if the
>>> # current encoding of the same password is different::
>>> previouslyencoded = (
...     '$p5k2$1000$LgAFPIlc9CgrlSaxHyTUMA='
...     '=$IuUYplhMkR4qCl8-ONRVjEgJNwE=')
>>> encoded == previouslyencoded
False
>>> manager.checkPassword(previouslyencoded , password)
True

过长的“密码”将占用大量的计算时间 可用作DoS攻击向量。z3c.bcrypt中的密码管理器将 只使用输入密码的前4096个字符进行检查。

灵感来源：

https://www.djangoproject.com/weblog/2013/sep/15/security/

如果4096长度限制 没有到位。如何可靠地测试？

>>> incomming = '$p5k2$1000$' + 'a' * 1024 * 1024 * 100  # lot of data.
>>> manager.checkPassword(encoded, incomming)
False

z3c.bcrypt的变更日志