Passlib is a collection of routines for managing password hashes such as found in unix “shadow” files, as returned by stdlib’s crypt(), as stored in mysql and postgres, and various other places. Passlib’s contents can be roughly grouped into three categories: password hashes, password contexts, and utility functions.
All of the hash schemes supported by Passlib are implemented as classes which can be imported from the passlib.hash module. In turn, all of the hash classes implement a single uniform interface, which is documented in detail and with usage examples in the Password Hash Interface document. However, many of these hashes are severely insecure, provided only for legacy purposes, or are specialized in ways that are not generally useful. If you are creating a new application and need to choose a password hash, see the New Application Quickstart Guide.
Mature applications frequently have to deal with tables of existing password hashes. Over time, they have to support a number of tasks:
In these situations, loading and handling multiple hash algorithms becomes complicated and tedious. The passlib.context module provides a single class, CryptContext, which attempts to solve all of these problems, or at least relieve applications developers of (most of) the burden. This class handles managing multiple password hash schemes, deprecation & migration of old hashes, and supports a simple configuration language that can be serialized to an INI file.
Passlib also provides a number of pre-configured CryptContext instances in order to get users started quickly:
Passlib also contains a couple of additional modules which provide support for certain application-specific tasks:
Additionally, Passlib contains a number of modules which are used internally to implement the all of the other features. These may change between major releases, and won’t be needed by most users of Passlib. They are documented mainly to aid in examining the source.