PBKDF2PasswordHasher
Secure password hashing using the PBKDF2 algorithm (recommended)
Attributes
| Attribute | Type | Description |
|---|---|---|
| algorithm | string = "pbkdf2_sha256" | The identifier for the hashing algorithm used to label and verify encoded password strings. |
| iterations | integer = 1500000 | The number of PBKDF2 hashing rounds applied to the password to increase computational cost and security. |
| digest | callable = hashlib.sha256 | The HMAC digest algorithm used by the PBKDF2 function, defaulting to SHA256. |
Constructor
Signature
def PBKDF2PasswordHasher()
Methods
encode()
@classmethod
def encode(
password: string,
salt: string,
iterations: integer = None
) - > string
Generates a secure PBKDF2 hash string from a raw password and salt, incorporating the algorithm name and iteration count for storage.
Parameters
| Name | Type | Description |
|---|---|---|
| password | string | The raw password string to be hashed. |
| salt | string | A unique seed string used to ensure the resulting hash is unique even if passwords are identical. |
| iterations | integer = None | The number of PBKDF2 rounds to perform; defaults to the class-defined iteration count if not provided. |
Returns
| Type | Description |
|---|---|
string | A formatted string containing the algorithm, iteration count, salt, and base64-encoded hash separated by dollar signs. |
decode()
@classmethod
def decode(
encoded: string
) - > object
Parses an encoded password string into its constituent components for verification or analysis.
Parameters
| Name | Type | Description |
|---|---|---|
| encoded | string | The formatted hash string retrieved from storage. |
Returns
| Type | Description |
|---|---|
object | A dictionary containing the algorithm name, hash value, iteration count, and salt extracted from the encoded string. |
verify()
@classmethod
def verify(
password: string,
encoded: string
) - > boolean
Validates a raw password against an existing encoded hash using a constant-time comparison to prevent timing attacks.
Parameters
| Name | Type | Description |
|---|---|---|
| password | string | The raw password provided by the user for authentication. |
| encoded | string | The previously stored hash string to validate against. |
Returns
| Type | Description |
|---|---|
boolean | True if the password generates a hash matching the encoded string, False otherwise. |
safe_summary()
@classmethod
def safe_summary(
encoded: string
) - > object
Provides a human-readable summary of the hash components with sensitive data like the salt and hash masked for safe logging or display.
Parameters
| Name | Type | Description |
|---|---|---|
| encoded | string | The encoded hash string to summarize. |
Returns
| Type | Description |
|---|---|
object | A dictionary of descriptive labels and masked values representing the hash metadata. |
must_update()
@classmethod
def must_update(
encoded: string
) - > boolean
Determines if an encoded hash should be re-hashed to meet current security standards, such as increased iterations or salt entropy requirements.
Parameters
| Name | Type | Description |
|---|---|---|
| encoded | string | The encoded hash string currently stored in the database. |
Returns
| Type | Description |
|---|---|
boolean | True if the hash's iterations or salt do not match current hasher settings, indicating an update is needed. |
harden_runtime()
@classmethod
def harden_runtime(
password: string,
encoded: string
)
Performs additional hashing iterations at runtime to bridge the gap between an older hash's iteration count and the current system standard, mitigating timing differences.
Parameters
| Name | Type | Description |
|---|---|---|
| password | string | The raw password used to perform the additional hashing rounds. |
| encoded | string | The existing encoded hash used to determine how many extra iterations are required. |