Documentation Index
Fetch the complete documentation index at: https://mintlify.com/Zozi96/hash-forge/llms.txt
Use this file to discover all available pages before exploring further.
PasswordHashPolicy is a frozen dataclass that encodes the rules governing which algorithms are acceptable for new hashes, which may still be used for verification of legacy data, and what per-algorithm construction parameters to use. When a policy is attached to a HashManager (via HashManager.from_policy), it is consulted on every hash, verify, and needs_rehash call, ensuring consistent enforcement across the application.
Built-in Profiles
Hash Forge ships four ready-made profiles covering the most common deployment scenarios. Each is a classmethod that returns a fully populatedPasswordHashPolicy instance.
recommended
| Setting | Value |
|---|---|
| Preferred algorithm | argon2 |
time_cost | 3 |
memory_cost | 65 536 KiB |
parallelism | 1 |
hash_len | 32 |
| Migration algorithms | pbkdf2_sha256, bcrypt_sha256, scrypt |
fips
| Setting | Value |
|---|---|
| Preferred algorithm | pbkdf2_sha256 |
iterations | 600 000 |
| Migration algorithms | pbkdf2_sha1 |
Use this profile when deploying to environments with FIPS-mode OpenSSL or US federal compliance requirements. Argon2 and bcrypt are intentionally excluded — they are not FIPS-approved primitives.
legacy_compat
| Setting | Value |
|---|---|
| Preferred algorithm | pbkdf2_sha256 |
iterations | DEFAULT_PBKDF2_ITERATIONS (150 000) |
allow_legacy_verify | True |
| Verification algorithms | pbkdf2_sha1, bcrypt, bcrypt_sha256, scrypt, ripemd160 |
calibrate
target_ms milliseconds on the current machine. The method doubles the iteration count until the target is reached (up to a hard ceiling of 2,000,000 iterations), then returns a PBKDF2-only policy.
Target hash duration in milliseconds. Defaults to
250.PasswordHashPolicy with a calibrated pbkdf2_sha256 iteration count.
Constructor Fields
PasswordHashPolicy is a frozen dataclass — all fields are set at creation time and cannot be mutated.
The algorithm used for all new password hashes. Must be included in
algorithms.Complete ordered tuple of algorithm identifiers registered with the policy. The preferred algorithm should appear first.
Per-algorithm constructor keyword arguments. Keys are algorithm names; values are dicts passed to
HasherFactory.create. Defaults to {}.When
True (default), legacy-category algorithms such as pbkdf2_sha1 and ripemd160 may still be used for hash verification. When False, any verify call targeting a legacy hasher returns False.When
False (default), calling hash() with a digest algorithm (blake2, sha3_256, etc.) raises ValueError. Fast digests are not suitable for password hashing and this guard prevents accidental misuse.When
False (default), calling hash() with a deprecated algorithm (whirlpool) raises ValueError.Maximum accepted cost parameters for verification. Currently used by Scrypt to reject hashes that were produced with implausibly high cost factors. Defaults to
{}.Instance Methods
options_for
algorithm_options. For Scrypt, any max_verify_costs entries are merged in automatically.
The algorithm name to look up.
dict[str, Any] — constructor kwargs (empty dict if no options were set).
validate_for_hashing
algorithm is acceptable for producing new hashes under this policy. Raises ValueError for any of the following conditions:
| Condition | Guard flag |
|---|---|
Algorithm is "deprecated" category | allow_deprecated_hashing is False |
Algorithm is "digest" category | allow_digest_password_hashing is False |
Algorithm is "legacy" category and not the preferred algorithm | Always blocked |
The algorithm name to validate.
None on success; raises ValueError on failure.
validate_for_verify
algorithm is allowed for verifying an existing hash. Currently enforces the allow_legacy_verify flag for legacy-category algorithms.
The algorithm name to validate.
None on success; raises ValueError when legacy verify is blocked.
needs_update
True when a successfully verified hash should be rotated to a newer hash. The check combines two conditions with logical OR:
- The hash’s canonical algorithm differs from the policy’s preferred algorithm.
- The hasher’s own
needs_rehashcheck returnedTrue(e.g. parameters changed).
The algorithm that produced the hash being evaluated.
The result of the hasher’s own parameter-level rehash check.
bool
Helper Functions
The following utilities are exported fromhash_forge alongside PasswordHashPolicy:
classify_algorithm
canonical_algorithm
AlgorithmCategory
classify_algorithm. Import it for type annotations:
| Value | Algorithms |
|---|---|
"password" | argon2, bcrypt, bcrypt_sha256, pbkdf2_sha256, scrypt |
"legacy" | pbkdf2_sha1, ripemd160, RIPEMD-160 |
"digest" | blake2, blake2b, blake3, sha3_256, sha3_512 |
"deprecated" | whirlpool |
