Navigation

Previous topic

securitylib.random — Secure generation of random numbers and strings

Next topic

securitylib.throttling — Throttling framework

This Page

securitylib.passwords — Creation and validation of user passwords.

securitylib.passwords.prepare_password_for_storage(password, authenticator_key)

Use this function if you want to store a password. This function returns a hex representation of the password that is safe to be stored. It uses a one-way algorithm which means you need to provide the password you are trying to verify in compare_stored_password() as one of the parameters.

Parameters:
  • password (str) – The password to be prepared for storage.
  • authenticator_key (str) – This key is used to make it harder for an attacker to find the users passwords, even if he compromises the database. This is done by making the transformation of the password be unique for the given key (using the given authenticator_key), so even if an attacker gets hold of the stored password, he has no way to verify whether a password matches it without knowing the key. This also means that this key MUST be stored separate from the stored passwords, else an attacker that compromises the database will also get hold of this key. Other recomendations include storing it outside the webserver tree and with read permissions only for the application that must read it. You can use generate_authenticator_key() to generate it.
Returns:

str – Returns the password prepared for storage.
securitylib.passwords.compare_stored_password(password, authenticator_key, stored_password)

Use this function to verify a password given by a user against a password stored with prepare_password_for_storage().

Parameters:
  • password (str) – The password to be compared to the stored one.
  • authenticator_key (str) – The key that was used when storing the password, in byte string.
  • stored_password (str) – Stored password against which the given password is to be compared.
Returns:

bool – True if the given password matches the stored one.
securitylib.passwords.generate_password(length=12, lower=True, upper=True, digits=True, special=True, ambig=True)

Generates a password according to the given parameters. It is guaranteed that if a type of characters (lower, upper, etc.) is allowed in the password, then the generated password will always contain at least one character of that type, e.g. if the parameter special is True, then the generated password will have at least a special character.

Parameters:
  • length (int) – Length of the generated password. Must be at least 8.
  • lower (bool) – Whether the password should contain lower case characters.
  • upper (bool) – Whether the password should contain upper case characters.
  • digits (bool) – Whether the password should contain digits.
  • special (bool) – Whether the password should contain special characters (!@#$%^&*).
  • ambig (bool) – Whether the password should contain ambiguous characters (iloILO10).
Returns:

str – The generated password.
securitylib.passwords.validate_password(password, min_length=12, min_lower=1, min_upper=1, min_digits=1, min_special=1, min_strength=50)

Validates a given password against some basic rules.

Parameters:
  • password (str) – Password to validate.
  • min_length (int) – Minimum length that the password must have.
  • min_lower (int) – Minimum number of lower case characters that the password must contain.
  • min_upper (int) – Minimum number of upper case characters that the password must contain.
  • min_digits (int) – Minimum number of digits that the password must contain.
  • min_special (int) – Minimum number of special characters (!@#$%^&*) that the password must contain.
  • min_strength (bool) – Minimum strength that the password must have according to function get_password_strength().
Returns:

list – A list with the name of the parameters whose validations have failed. This means a password is valid only if this function returns an empty list.
securitylib.passwords.get_password_strength(password, username=None)

Evaluate a password’s strength according to some heuristics.

Parameters:
  • password (str) – Password to evaluate.
  • username (str) – Username of the password’s owner. When provided, the password strength will be lower if it contains the given username. If the username is an email, both the whole email and its left part will be used.
Returns:

int – Strength of the password as an int between 0 and 100.
securitylib.passwords.get_entropy_bits(password, username=None)

Evaluate a password’s strength according to some heuristics. Returns the entropy of the given password in bits.

E.g. a password with 8 characters, lowercase + digits, without dictionary words and without keyboard sequences, will have entropy about 26. If it had also uppercase characters the entropy would be about 30.

Parameters:
  • password (str) – Password to evaluate.
  • username (str) – Username of the password’s owner. When provided, the password strength will be lower if it contains the given username. If the username is an email, both the whole email and its left part will be used.

returns: int – Number of bits of entropy that the password has.

Navigation

© Copyright 2014, SAPO Security Team. Created using Sphinx 1.2.2.