Documentation Index
Fetch the complete documentation index at: https://mintlify.com/Zozi96/hash-forge/llms.txt
Use this file to discover all available pages before exploring further.
PasswordHashPolicy is a frozen dataclass that encodes a complete set of rules for password hashing in a single, reusable object. It declares which algorithm is preferred for new hashes, which algorithms are permitted for legacy verification, and whether deprecated or digest-only algorithms are blocked. Attaching a policy to HashManager via HashManager.from_policy() lets you enforce consistent hashing behaviour across your entire application from one place, rather than scattering algorithm choices across request handlers.
Built-in Policy Profiles
PasswordHashPolicy.recommended()
Modern default profile. Argon2 is preferred with sensible parameters. PBKDF2-SHA256, bcrypt-SHA256, and Scrypt are included to support gradual migration of any existing hashes. Best choice for new projects.
recommended profile uses:
preferred_algorithm:argon2algorithms:("argon2", "pbkdf2_sha256", "bcrypt_sha256", "scrypt")- Argon2 options:
time_cost=3,memory_cost=65536,parallelism=1,hash_len=32
PasswordHashPolicy.fips()
FIPS 140-2 compliant profile. Uses PBKDF2-HMAC-SHA256 at 600,000 iterations — the iteration count recommended by NIST SP 800-132 as of 2023. PBKDF2-SHA1 is retained solely for verifying existing hashes.
fips profile uses:
preferred_algorithm:pbkdf2_sha256algorithms:("pbkdf2_sha256", "pbkdf2_sha1")- PBKDF2 options:
iterations=600_000
PasswordHashPolicy.legacy_compat()
Compatibility profile for systems with a variety of historical hash formats. PBKDF2-SHA256 is the preferred algorithm for all new hashes. Verification is permitted for bcrypt, bcrypt-SHA256, Scrypt, PBKDF2-SHA1, and RIPEMD-160 hashes. allow_legacy_verify=True is set explicitly.
PasswordHashPolicy.calibrate(target_ms=250)
Auto-tunes the PBKDF2 iteration count so that a single hash operation takes at least target_ms milliseconds on the current hardware. Useful for ensuring consistent security cost across machines with different CPU speeds.
calibrate starts at the library default and doubles the iteration count until the measured runtime meets or exceeds target_ms. It never exceeds 2,000,000 iterations.
Creating a HashManager from a Policy
Pass any policy instance toHashManager.from_policy():
preferred_hasher is set to the policy’s preferred_algorithm, and all remaining algorithms are registered in the order they appear in policy.algorithms. The policy object is stored on manager.policy and consulted automatically by hash(), verify(), and needs_rehash().
Algorithm Categories
Hash Forge classifies every algorithm into one of four categories. The category determines what operations are permitted when a policy is active.| Category | Algorithms | Permitted operations |
|---|---|---|
password | argon2, bcrypt, bcrypt_sha256, pbkdf2_sha256, scrypt | Hash + verify |
legacy | pbkdf2_sha1, ripemd160 | Verify only (unless it is the preferred algorithm) |
digest | blake2, blake2b, blake3, sha3_256, sha3_512 | Verify only (new hashing blocked by default) |
deprecated | whirlpool | New hashing blocked by default |
Policy Enforcement
When a policy is attached to aHashManager, three enforcement methods are called automatically at runtime.
validate_for_hashing
Called by hash() before delegating to the preferred hasher. Raises ValueError when:
- The algorithm is
deprecatedandallow_deprecated_hashing=False - The algorithm is a
digestandallow_digest_password_hashing=False - The algorithm is
legacyand is not the designatedpreferred_algorithm
validate_for_verify
Called by verify() after identifying the hasher. Raises ValueError (and causes verify to return False) when:
- The algorithm is
legacyandallow_legacy_verify=False
needs_update
Called by needs_rehash(). Returns True when either:
- The algorithm of the stored hash differs from the policy’s
preferred_algorithm - The underlying hasher reports that parameters have changed
Custom Policy
PasswordHashPolicy is a frozen dataclass. Construct it directly to define a fully custom profile:
| Parameter | Type | Default | Description |
|---|---|---|---|
preferred_algorithm | str | — | Algorithm used for all new hashes |
algorithms | tuple[str, ...] | — | Full set of supported algorithms |
algorithm_options | dict[str, dict] | {} | Per-algorithm constructor kwargs |
allow_legacy_verify | bool | True | Permit legacy algorithm verification |
allow_digest_password_hashing | bool | False | Permit digest algorithms for new hashes |
allow_deprecated_hashing | bool | False | Permit deprecated algorithms for new hashes |
max_verify_costs | dict[str, dict] | {} | Upper-bound cost params for verify (Scrypt) |
