Module password

This utility function is meant to provide a migration path for users of mudpy's legacy account-name-salted MD5 hexdigest password hashes. By passing the old passhash (as legacy_hash) and name (as salt) facets to this function, a conforming new-style password hash will be returned.

The meat of the module, this function takes a provided password and generates a Unix-like passwd hash suitable for storage in portable, text-based data files. The password is prepended with a salt (which can also be specified explicitly, if the output needs to be repeatable) and then hashed with the requested algorithm iterated as many times as 2 raised to the power of the rounds parameter.

The first character of the text returned by this function denotes the separator character used to identify subsequent fields. The fields in order are:

1. the decimal index number indicating which algorithm was used, also mapped as convenience constants at the beginning of this module
2. the number of times (as an exponent of 2) which the algorithm was iterated, represented by a decimal value between 0 and 16 inclusive (0 results in one round, 16 results in 65536 rounds, and anything higher than that is a potential resource consumption denial of service on the application anyway)
3. the plain-text salt with which the password was prepended before hashing
4. the resulting password hash itself, base64-encoded using . and / as the two non-alpha-numeric characters required to reach 64

The defaults provided should be safe for everyday use, but something more heavy-duty may be in order for admin users, such as:

  create(password, algorithm=SHA256, rounds=12, salt_len=16)

This simple function requires a text password and a mudpy-format password hash (as generated by the create function). It returns True if the password, hashed with the parameters from the encoded_hash, comes out the same as the encoded_hash.