Metadata-Version: 2.1
Name: zope.password
Version: 3.6.1
Summary: Password encoding and checking utilities
Home-page: http://pypi.python.org/pypi/zope.password
Author: Zope Foundation and Contributors
Author-email: zope-dev@zope.org
License: ZPL 2.1
Keywords: zope authentication password zpasswd
Platform: UNKNOWN
Classifier: Development Status :: 5 - Production/Stable
Classifier: Environment :: Web Environment
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: Zope Public License
Classifier: Programming Language :: Python
Classifier: Natural Language :: English
Classifier: Operating System :: OS Independent
Classifier: Topic :: Internet :: WWW/HTTP
Classifier: Framework :: Zope3
Provides-Extra: vocabulary
Provides-Extra: test
License-File: LICENSE.txt

================
Password Manager
================

This package provides a password manager mechanism. Password manager
is an utility object that can encode and check encoded
passwords. Beyond the generic interface, this package also provides
four implementations:

* PlainTextPasswordManager - the most simple and the less secure
  one. It does not do any password encoding and simply checks password
  by string equality.  It's useful in tests or as a base class for
  more secure implementations.

* MD5PasswordManager - a password manager that uses MD5 algorithm to
  encode passwords. It adds salt to the encoded password, but the salt
  is not used for encoding the password itself, so the use of salt in
  it is purely cosmetical. It's generally weak against dictionary
  attacks.
 
* SHA1PasswordManager - a password manager that uses SHA1 algorithm to
  encode passwords. It has the same salt weakness as the
  MD5PasswordManager.
 
* SSHAPasswordManager - the most secure password manager that is
  strong against dictionary attacks. It's basically SHA1-encoding
  password manager which also incorporates a salt into the password
  when encoding it. This password manager is compatible with passwords
  used in LDAP databases.

It is strongly recommended to use SSHAPasswordManager, as it's the
most secure.

The package also provides a script `zpasswd` to generate principal
entries in typical ``site.zcml`` files.

Usage
-----

It's very easy to use password managers. The
``zope.password.interfaces.IPasswordManager`` interface defines only
two methods::

  def encodePassword(password):
      """Return encoded data for the given password"""

  def checkPassword(encoded_password, password):
      """Return whether the given encoded data coincide with the given password"""

The implementations mentioned above are in the
``zope.password.password`` module.


Password Manager Names Vocabulary
---------------------------------

The ``zope.password.vocabulary`` module provides a vocabulary of
registered password manager utility names. It is typically registered
as an `IVocabularyFactory` utility named "Password Manager Names".

It's intended to be used with ``zope.component`` and ``zope.schema``,
so you need to have them installed and the utility registrations needs
to be done properly. The `configure.zcml` file, contained in
``zope.password`` does the registrations, as well as in
`setUpPasswordManagers` function in ``zope.password.testing`` module.

zpasswd script
--------------

``zpasswd`` is a script to generate principal entries in typical
``site.zcml`` files.

You can create a ``zpasswd`` script in your package by adding a
section like this to your ``buildout.cfg``::

  [zpasswd]
  recipe = z3c.recipe.dev:script
  eggs = zope.password
  module = zope.password.zpasswd
  method = main

This will generate a script ``zpasswd`` next time you run
``buildout``.

When run, the script will ask you for all parameters needed to create
a typical principal entry, including the encrypted password.

Use::

  $ bin/zpasswd --help

to get a list of options.

Using

  $ bin/zpasswd -c some/site.zcml

the script will try to lookup any password manager you defined and
registered in your environment. This is lookup is not necessary if you
go with the standard password managers defined in `zope.password`.

A typical ``zpasswd`` session::

  $ ./bin/zpasswd 

  Please choose an id for the principal.

  Id: foo


  Please choose a title for the principal.

  Title: The Foo


  Please choose a login for the principal.

  Login: foo

  Password manager:

   1. Plain Text
   2. MD5
   3. SHA1
   4. SSHA

  Password Manager Number [4]: 
  SSHA password manager selected


  Please provide a password for the principal.

  Password: 
  Verify password: 

  Please provide an optional description for the principal.

  Description: The main foo 

  ============================================
  Principal information for inclusion in ZCML:

    <principal
      id="foo"
      title="The Foo"
      login="foo"
      password="{SSHA}Zi_Lsz7Na3bS5rz4Aer-9TbqomXD2f3T"
      description="The main foo"
      password_manager="SSHA"
      />




=======
CHANGES
=======

3.6.1 (2010-05-27)
------------------

- The SSHAPasswordManager.checkPassword() would not handle unicode input
  (even if the string would only contain ascii characters). Now, the
  encoded_password input will be encoded to ascii, which is deemed safe as it
  should not contain non-ascii characters anyway.

3.6.0 (2010-05-07)
------------------

- Removed zope.testing dependency for tests.

- Updated some copyright headers to comply to repository policy.

- Added zpasswd script formerly hold in zope.app.server. Contrary to
  former zpasswd script, which used "Plain Text" as default password
  manager, now SSHA is used as default.

3.5.1 (2009-03-14)
------------------

- Make security protection directives in `configure.zcml` execute only
  if ``zope.security`` is installed. This will allow reuse of the
  `configure.zcml` file in environments without ``zope.security``,
  for example with ``repoze.zcml``.

- Add "Password Manager Names" vocabulary for use with ``zope.schema``
  and ``zope.component``, like it was in ``zope.app.authentication``.
  It's an optional feature so it doesn't add hard dependency. We use
  "vocabulary" extra to list dependencies needed for vocabulary functionality.

3.5.0 (2009-03-06)
------------------

First release. This package was splitted off from ``zope.app.authentication``
to separate password manager functionality that is greatly re-usable without
any bit of ``zope.app.authentication`` and to reduce its dependencies.


