keystone.common.password_hashing module

keystone.common.password_hashing.check_password(password: str, hashed: str) → bool

Check that a plaintext password matches hashed.

hashpw returns the salt value concatenated with the actual hash value. It extracts the actual salt if this value is then passed as the salt.

keystone.common.password_hashing.generate_partial_password_hash(password: str, salt: str) → str

Generates partial password hash for reporting purposes.

The generated password hash is base64 encoded, and max_chars of it are returned.

keystone.common.password_hashing.hash_password(password: str) → str

Hash a password. Harder.

keystone.common.password_hashing.hash_user_password(user)

Hash a user dict’s password without modifying the passed-in dict.

keystone.common.password_hashing.verify_length_and_trunc_password(password) → bytes

Verify and truncate the provided password to the max_password_length.

We also need to check that the configured password hashing algorithm does not silently truncate the password. For example, passlib.hash.bcrypt does this: https://passlib.readthedocs.io/en/stable/lib/passlib.hash.bcrypt.html#security-issues