z3c.password 0.7.3

Password generation and verification utility for Zope3

This package provides an API and implementation of a password generation and
verification utility. A high-security implementation is provided that is
suitable for banks and other high-security institutions. The package also
offers a field and a property for those fields.


=======
CHANGES
=======

0.7.3 (2009-12-22)
------------------

- Fix: ``PrincipalMixIn.passwordSetOn`` happens to be ``None`` in case the
class is mixed in after the user was created, that caused a bug.

0.7.3 (2009-12-08)
------------------

- Fix: ``disallowPasswordReuse`` must not check ``None`` passwords.

0.7.2 (2009-08-07)
------------------

- German translations

0.7.1 (2009-07-02)
------------------

- Feature: ``passwordOptionsUtilityName`` property on the ``PrincipalMixIn``.
This allows to set different options for a set of users instead of storing
the direct values on the principal.


0.7.0 (2009-06-22)
------------------

- Feature: Even harder password settings:
* ``minLowerLetter``
* ``minUpperLetter``
* ``minDigits``
* ``minSpecials``
* ``minOthers``
* ``minUniqueCharacters``
* ``minUniqueLetters``: count and do not allow less then specified number

- Feature:
* ``disallowPasswordReuse``: do not allow to set a previously used password

- 100% test coverage

0.6.0 (2009-06-17)
------------------

- Features:
``PrincipalMixIn`` got some new properties:
* ``passwordExpired``: to force the expiry of the password
* ``lockOutPeriod``: to enable automatic lock and unlock on too many bad tries

``IPasswordOptionsUtility`` to have global password options:
* ``changePasswordOnNextLogin``: not implemented here,
use PrincipalMixIn.passwordExpired
* ``lockOutPeriod``: global counterpart of the PrincipalMixIn property
* ``passwordExpiresAfter``: global counterpart of the PrincipalMixIn property
* ``maxFailedAttempts``: global counterpart of the PrincipalMixIn property

Password checking goes like this (on the high level):
1. raise AccountLocked if too many bad tries and account should be locked
2. raise PasswordExpired if expired AND password matches
3. raise TooManyLoginFailures if too many bad tries
4. return whether password matches
More details in ``principal.txt``

- Added Russian translation

- Refactor PrincipalMixIn now() into a separate method to facilitate
override and testing

- Changed the order the password is checked:
1. check password against stored
2. check maxFailedAttempts, raise TooManyLoginFailures if over
3. if password is OK, check expirationDate, raise PasswordExpired if over
4. return whether password matches

This is because I need to be sure that PasswordExpired is raised only if the
password *IS* valid. Entering an invalid password *MUST NOT* raise
PasswordExpired, because I want to use PasswordExpired to allow the user
to change it's password. This should not happen if the user did not enter a
valid password.

0.5.0 (2008-10-21)
------------------

- Initial Release