1.. index::
2    single: PasswordHash interface
3    single: custom hash handler; requirements
4
5.. module:: passlib.ifc
6    :synopsis: abstract interfaces used by Passlib
7
8=============================================
9:mod:`passlib.ifc` -- Password Hash Interface
10=============================================
11
12.. _password-hash-api:
13
14PasswordHash API
15================
16This module provides the :class:`!PasswordHash` abstract base class.
17This class defines the common methods and attributes present
18on all the hashes importable from the :mod:`passlib.hash` module.
19Additionally, the :class:`passlib.context.CryptContext` class is deliberately
20designed to parallel many of this interface's methods.
21
22.. rst-class:: float-center
23
24.. seealso::
25
26    :ref:`hash-tutorial` -- Overview of this interface and how to use it.
27
28Base Abstract Class
29===================
30.. class:: PasswordHash()
31
32    This class provides an abstract interface for an arbitrary password hasher.
33
34    Applications will generally not construct instances directly --
35    most of the operations are performed via classmethods, allowing
36    instances of a given class to be an internal detail used to implement
37    the various operations.
38
39    While :class:`!PasswordHash` offers a number of methods and attributes,
40    most applications will only need the two primary methods:
41
42    * :meth:`PasswordHash.hash` - generate new salt, return hash of password.
43    * :meth:`PasswordHash.verify` - verify password against existing hash.
44
45    Two additional support methods are also provided:
46
47    * :meth:`PasswordHash.using` - create subclass with customized configuration.
48    * :meth:`PasswordHash.identify` - check if hash belongs to this algorithm.
49
50    Each hash algorithm also provides a number of :ref:`informational attributes <informational-attributes>`,
51    allowing programmatic inspection of its options and parameter limits.
52
53.. seealso::
54
55    :ref:`hash-tutorial` -- Overview of this interface and how to use it.
56
57.. _primary-methods:
58
59Hashing & Verification Methods
60==============================
61Most applications will only need to use two methods:
62:meth:`PasswordHash.hash` to generate new hashes, and :meth:`PasswordHash.verify`
63to check passwords against existing hashes.
64These methods provide an easy interface for working with a password hash,
65and abstract away details such as salt generation, hash normalization,
66and hash comparison.
67
68.. classmethod:: PasswordHash.hash(secret, \*\*kwds)
69
70    Digest password using format-specific algorithm,
71    returning resulting hash string.
72
73    For most hashes supported by Passlib, the returned string will contain:
74    an algorithm identifier, a cost parameter, the salt string,
75    and finally the password digest itself.
76
77    :type secret: unicode or bytes
78    :arg secret: string containing the password to encode.
79
80    :param \*\*kwds:
81
82        All additional keywords are algorithm-specific, and will be listed
83        in that hash's documentation; though many of the more common keywords
84        are listed under :attr:`PasswordHash.setting_kwds`
85        and :attr:`PasswordHash.context_kwds`.
86
87        .. deprecated:: 1.7
88
89            Passing :attr:`PasswordHash.setting_kwds` such as ``rounds`` and ``salt_size``
90            directly into the :meth:`hash` method is deprecated.  Callers should instead
91            use ``handler.using(**settings).hash(secret)``.  Support for the old method
92            is is tentatively scheduled for removal in Passlib 2.0.
93
94            Context keywords such as ``user`` should still be provided to :meth:`!hash`.
95
96    :returns:
97        Resulting password hash, encoded in an algorithm-specific format.
98        This will always be an instance of :class:`!str`
99        (i.e. :class:`unicode` under Python 3, ``ascii``-encoded :class:`bytes` under Python 2).
100
101    :raises ValueError:
102
103        * If a ``kwd``'s value is invalid (e.g. if a ``salt`` string
104          is too small, or a ``rounds`` value is out of range).
105
106        * If ``secret`` contains characters forbidden by the hash algorithm
107          (e.g. :class:`!des_crypt` forbids NULL characters).
108
109    :raises TypeError:
110
111        * if ``secret`` is not :class:`!unicode` or :class:`bytes`.
112        * if a ``kwd`` argument has an incorrect type.
113        * if an algorithm-specific required ``kwd`` is not provided.
114
115    .. versionchanged:: 1.6
116        Hashes now raise :exc:`TypeError` if a required keyword is missing,
117        rather than :exc:`ValueError` like in previous releases; in order
118        to conform with normal Python behavior.
119
120    .. versionchanged:: 1.6
121        Passlib is now much stricter about input validation: for example,
122        out-of-range ``rounds`` values now cause an error instead of being
123        clipped (though applications may set :ref:`relaxed=True <relaxed-keyword>`
124        to restore the old behavior).
125
126    .. versionchanged:: 1.7
127
128        This method was renamed from :meth:`encrypt`.
129        Deprecated support for passing settings directly into :meth:`!hash`.
130
131.. classmethod:: PasswordHash.encrypt(secret, \*\*kwds)
132
133    Legacy alias for :meth:`PasswordHash.hash`.
134
135    .. deprecated:: 1.7
136
137        This method was renamed to :meth:`!hash` in version 1.7.
138        This alias will be removed in version 2.0, and should only
139        be used for compatibility with Passlib 1.3 - 1.6.
140
141.. classmethod:: PasswordHash.verify(secret, hash, \*\*context_kwds)
142
143    Verify a secret using an existing hash.
144
145    This checks if a secret matches against the one stored
146    inside the specified hash.
147
148    :type secret: unicode or bytes
149    :param secret:
150        A string containing the password to check.
151
152    :type secret: unicode or bytes
153    :param hash:
154        A string containing the hash to check against,
155        such as returned by :meth:`PasswordHash.hash`.
156
157        Hashes may be specified as :class:`!unicode` or
158        ``ascii``-encoded :class:`!bytes`.
159
160    :param \*\*kwds:
161        Very few hashes will have additional keywords.
162
163        The ones that do typically require external contextual information
164        in order to calculate the digest. For these hashes,
165        the values must match the ones passed to the original
166        :meth:`PasswordHash.hash` call when the hash was generated,
167        or the password will not verify.
168
169        These additional keywords are algorithm-specific, and will be listed
170        in that hash's documentation; though the more common keywords
171        are listed under :attr:`PasswordHash.context_kwds`.
172        Examples of common keywords include ``user``.
173
174    :returns:
175        ``True`` if the secret matches, otherwise ``False``.
176
177    :raises TypeError:
178        * if either ``secret`` or ``hash`` is not a unicode or bytes instance.
179        * if the hash requires additional ``kwds`` which are not provided,
180        * if a ``kwd`` argument has the wrong type.
181
182    :raises ValueError:
183        * if ``hash`` does not match this algorithm's format.
184        * if the ``secret`` contains forbidden characters (see
185          :meth:`PasswordHash.hash`).
186        * if a configuration/salt string generated by :meth:`PasswordHash.genconfig`
187          is passed in as the value for ``hash`` (these strings look
188          similar to a full hash, but typically lack the digest portion
189          needed to verify a password).
190
191    .. versionchanged:: 1.6
192        This function now raises :exc:`ValueError` if ``None`` or a config string is provided
193        instead of a properly-formed hash; previous releases were inconsistent
194        in their handling of these two border cases.
195
196.. seealso::
197
198    * :ref:`hash-verifying` tutorial for a usage example
199
200.. _crypt-methods:
201
202.. rst-class:: html-toggle
203
204Crypt Methods
205=============
206Taken together, the :meth:`PasswordHash.genconfig` and :meth:`PasswordHash.genhash`
207are two tightly-coupled methods that mimic the standard Unix
208"crypt" interface. The first method generates salt / configuration
209strings from a set of settings, and the second hashes the password
210using the provided configuration string.
211
212.. seealso::
213
214    Most applications will find :meth:`PasswordHash.hash` much more useful,
215    as it combines the functionality of these two methods into one.
216
217.. classmethod:: PasswordHash.genconfig(\*\*setting_kwds)
218
219    .. deprecated:: 1.7
220
221        As of 1.7, this method is deprecated, and slated for complete removal in Passlib 2.0.
222
223        For all known real-world uses, ``.hash("", **settings)``
224        should provide equivalent functionality.
225
226        This deprecation may be reversed if a use-case presents itself in the mean time.
227
228    Returns a configuration string encoding settings for hash generation.
229
230    This function takes in all the same :attr:`PasswordHash.setting_kwds`
231    as :meth:`PasswordHash.hash`, fills in suitable defaults,
232    and encodes the settings into a single "configuration" string,
233    suitable passing to :meth:`PasswordHash.genhash`.
234
235    :param \*\*kwds:
236        All additional keywords are algorithm-specific, and will be listed
237        in that hash's documentation; though many of the more common keywords
238        are listed under :attr:`PasswordHash.setting_kwds`
239        Examples of common keywords include ``salt`` and ``rounds``.
240
241    :returns:
242        A configuration string (as :class:`!str`).
243
244    :raises ValueError, TypeError:
245        This function raises exceptions for the same
246        reasons as :meth:`PasswordHash.hash`.
247
248    .. versionchanged:: 1.7
249
250        This should now always return a full hash string, even in cases
251        where previous releases would return a truncated "configuration only" string,
252        or ``None``.
253
254.. classmethod:: PasswordHash.genhash(secret, config, \*\*context_kwds)
255
256    Encrypt secret using specified configuration string.
257
258    .. deprecated:: 1.7
259
260        As of 1.7, this method is deprecated, and slated for complete removal in Passlib 2.0.
261
262        This deprecation may be reversed if a use-case presents itself in the mean time.
263
264    This takes in a password and a configuration string,
265    and returns a hash for that password.
266
267    :type secret: unicode or bytes
268    :arg secret:
269        string containing the password to be encrypted.
270
271    :type config: unicode or bytes
272    :arg config:
273        configuration string to use when hashing the secret.
274        this can either be an existing hash that was previously
275        returned by :meth:`PasswordHash.genhash`, or a configuration string
276        that was previously created by :meth:`PasswordHash.genconfig`.
277
278        .. versionchanged:: 1.7
279
280            ``None`` is no longer accepted for hashes which (prior to 1.7)
281            lacked a configuration string format.
282
283    :param \*\*kwds:
284        Very few hashes will have additional keywords.
285
286        The ones that do typically require external contextual information
287        in order to calculate the digest. For these hashes,
288        the values must match the ones passed to the original
289        :meth:`PasswordHash.hash` call when the hash was generated,
290        or the password will not verify.
291
292        These additional keywords are algorithm-specific, and will be listed
293        in that hash's documentation; though the more common keywords
294        are listed under ::attr:`PasswordHash.context_kwds`.
295        Examples of common keywords include ``user``.
296
297    :returns:
298        Encoded hash matching specified secret, config, and kwds.
299        This will always be a native :class:`!str` instance.
300
301    :raises ValueError, TypeError:
302        This function raises exceptions for the same
303        reasons as :meth:`PasswordHash.hash`.
304
305    .. warning::
306
307        Traditionally, password verification using the "crypt" interface
308        was done by testing if ``hash == genhash(password, hash)``.
309        This test is only reliable for a handful of algorithms,
310        as various hash representation issues may cause false results.
311        Applications are strongly urged to use :meth:`~PasswordHash.verify` instead.
312
313.. _support-methods:
314
315Factory Creation
316================
317One powerful method offered by the :class:`!PasswordHash` class :meth:`PasswordHash.using`.
318This method allows you to quickly create subclasses of a specific hash,
319providing it with preconfigured defaults specific to your application:
320
321.. classmethod:: PasswordHash.using(relaxed=False, \*\*settings)
322
323    This method takes in a set of algorithm-specific settings,
324    and returns a new handler object which uses the specified default settings instead.
325
326    :param \*\*settings:
327
328        All keywords are algorithm-specific, and will be listed
329        in that hash's documentation; though many of the more common keywords
330        are listed under :attr:`PasswordHash.setting_kwds`.
331        Examples of common keywords include ``rounds`` and ``salt_size``.
332
333    :returns:
334        A new object which adheres to :class:`!PasswordHash` api.
335
336    :raises ValueError:
337
338        * If a keywords's value is invalid (e.g. if a ``salt`` string
339          is too small, or a ``rounds`` value is out of range).
340
341    :raises TypeError:
342
343        * if a ``kwd`` argument has an incorrect type.
344
345    .. versionadded:: 1.7
346
347.. seealso:: :ref:`hash-configuring` tutorial for a usage example
348
349Hash Inspection Methods
350=======================
351There are currently two hash inspection methods, :meth:`PasswordHash.identify`
352and :meth:`PasswordHash.needs_update`.
353
354.. classmethod:: PasswordHash.identify(hash)
355
356    Quickly identify if a hash string belongs to this algorithm.
357
358    :type hash: unicode or bytes
359    :arg hash:
360        the candidate hash string to check
361
362    :returns:
363        * ``True`` if the input is a configuration string or hash string
364           identifiable as belonging to this scheme (even if it's malformed).
365        * ``False`` if the input does not belong to this scheme.
366
367    :raises TypeError:
368        if :samp:`{hash}` is not a unicode or bytes instance.
369
370    .. note::
371
372        A small number of the hashes supported by Passlib lack a reliable
373        method of identification (e.g. :class:`~passlib.hash.lmhash`
374        and :class:`~passlib.hash.nthash` both consist of 32 hexadecimal characters,
375        with no distinguishing features). For such hashes, this method
376        may return false positives.
377
378    .. seealso::
379
380        If you are considering using this method to select from multiple
381        algorithms (e.g. in order to verify a password), you will be better served
382        by the :ref:`CryptContext <context-reference>` class.
383
384.. automethod:: PasswordHash.needs_update
385
386..
387    the undocumented and experimental support methods currently include
388    parsehash() and bitsize()
389
390
391    .. todo::
392
393        document the :attr:`is_disabled` and DisabledHash interface
394        added in passlib 1.7.
395
396.. _informational-attributes:
397
398.. _general-attributes:
399
400General Informational Attributes
401================================
402Each hash provides a handful of informational attributes, allowing
403programs to dynamically adapt to the requirements of different
404hash algorithms. The following attributes should be defined for all
405the hashes in passlib:
406
407.. attribute:: PasswordHash.name
408
409    Name uniquely identifying this hash.
410
411    For the hashes built into Passlib, this will always match
412    the location where it was imported from — :samp:`passlib.hash.{name}` —
413    though externally defined hashes may not adhere to this.
414
415    This should always be a :class:`!str` consisting of lowercase ``a-z``,
416    the digits ``0-9``, and the underscore character ``_``.
417
418.. attribute:: PasswordHash.setting_kwds
419
420    Tuple listing the keywords supported by :meth:`PasswordHash.using` control hash generation,
421    and which will be encoded into the resulting hash.
422
423    (These keywords will also be accepted by :meth:`PasswordHash.hash` and :meth:`PasswordHash.genconfig`,
424     though that behavior is deprecated as of Passlib 1.7; and will be removed in Passlib 2.0).
425
426    This list commonly includes keywords for controlling salt generation,
427    adjusting time-cost parameters, etc. Most of these settings are optional,
428    and suitable defaults will be chosen if they are omitted (e.g. salts
429    will be autogenerated).
430
431    While the documentation for each hash should have a complete list of
432    the specific settings the hash uses, the following keywords should have
433    roughly the same behavior for all the hashes that support them:
434
435    .. index::
436        single: salt; PasswordHash keyword
437
438    ``salt``
439        Specifies a fixed salt string to use, rather than randomly
440        generating one.
441
442        This option is supported by most of the hashes in Passlib,
443        though typically it isn't used, as random generation of a salt
444        is usually the desired behavior.
445
446        Hashes typically require this to be a :class:`!unicode` or
447        :class:`!bytes` instance, with additional constraints
448        appropriate to the algorithm.
449
450    .. index::
451        single: salt_size; PasswordHash keyword
452
453    ``salt_size``
454
455        Most algorithms which support the ``salt`` setting will
456        autogenerate a salt when none is provided. Most of those hashes
457        will also offer this option, which allows the caller to specify
458        the size of salt which should be generated. If omitted,
459        the hash's default salt size will be used.
460
461        .. seealso:: the :ref:`salt info <salt-attributes>` attributes (below)
462
463    .. index::
464        single: rounds; PasswordHash keyword
465
466    ``rounds``
467        If present, this means the hash can vary the number
468        of internal rounds used in some part of its algorithm,
469        allowing the calculation to take a variable amount of processor
470        time, for increased security.
471
472        While this is almost always a non-negative integer,
473        additional constraints may be present for each algorithm
474        (such as the cost varying on a linear or logarithmic scale).
475
476        This value is typically omitted, in which case a default
477        value will be used. The defaults for all the hashes in Passlib
478        are periodically retuned to strike a balance between
479        security and responsiveness.
480
481        .. seealso:: the :ref:`rounds info <rounds-attributes>` attributes (below)
482
483    .. index::
484        single: ident; PasswordHash keyword
485
486    ``ident``
487        If present, the class supports multiple formats for encoding
488        the same hash. The class's documentation will generally list
489        the allowed values, allowing alternate output formats to be selected.
490
491        Note that these values will typically correspond to different
492        revision of the hash algorithm itself, and they may not all
493        offer the same level of security.
494
495    ``truncate_error``
496
497        This will be present if and only if the hash truncates passwords
498        larger than some limit (reported via it's :attr:`truncate_size` attribute).
499        By default, they will silently truncate passwords above their limit.
500        Setting ``truncate_error=True`` will cause :meth:`PasswordHash.hash`
501        to raise a :exc:`~passlib.exc.PasswordTruncateError` instead.
502
503    .. index::
504        single: relaxed; PasswordHash keyword
505
506    .. _relaxed-keyword:
507
508    ``relaxed``
509        By default, passing an invalid value to :meth:`PasswordHash.using`
510        will result in a :exc:`ValueError`. However, if ``relaxed=True``
511        then Passlib will attempt to correct the error and (if successful)
512        issue a :exc:`~passlib.exc.PasslibHashWarning` instead.
513        This warning may then be filtered if desired.
514        Correctable errors include (but are not limited to): ``rounds``
515        and ``salt_size`` values that are too low or too high, ``salt``
516        strings that are too large.
517
518        .. versionadded:: 1.6
519
520.. _context-keywords:
521
522.. attribute:: PasswordHash.context_kwds
523
524    Tuple listing the keywords supported by :meth:`PasswordHash.hash`,
525    :meth:`PasswordHash.verify`, and :meth:`PasswordHash.genhash`.
526    These keywords are different from the settings kwds in that the context keywords
527    affect the hash, but are not encoded within it, and thus must be provided each time
528    the hash is calculated.
529
530    This list commonly includes a user account, http realm identifier,
531    etc. Most of these keywords are required by the hashes which support them,
532    as they are frequently used in place of an embedded salt parameter.
533
534    *Most hash algorithms in Passlib will have no context keywords.*
535
536    While the documentation for each hash should have a complete list of
537    the specific context keywords the hash uses,
538    the following keywords should have roughly the same behavior
539    for all the hashes that support them:
540
541    .. index::
542        single: user; PasswordHash keyword
543
544    ``user``
545
546        If present, the class requires a username be specified whenever
547        performing a hash calculation (e.g.
548        :class:`~passlib.hash.postgres_md5` and
549        :class:`~passlib.hash.oracle10`).
550
551    .. index::
552        single: encoding; PasswordHash keyword
553
554    ``encoding``
555
556        Some hashes have poorly-defined or host-dependant unicode behavior,
557        and properly hashing a non-ASCII password requires providing
558        the correct encoding (:class:`~passlib.hash.lmhash` is perhaps the worst offender).
559        Hashes which provide this keyword will always expose
560        their default encoding programmatically via the
561        :attr:`PasswordHash.default_encoding` attribute.
562
563.. attribute:: truncate_size
564
565    A positive integer, indicating the hash will truncate any passwords larger than this many bytes.
566    If ``None`` (the more common case), indicates the hash will use
567    the entire password provided.
568
569    Hashes which specify this setting will also support a ``truncate_error``
570    flag via their :meth:`PasswordHash.using` method, to configure
571    how truncation is handled.
572
573.. seealso:: :ref:`hash-configuring` tutorial for a usage example
574
575.. _salt-attributes:
576
577Salt Information Attributes
578===========================
579For schemes which support a salt string,
580``"salt"`` should be listed in their :attr:`PasswordHash.setting_kwds`,
581and the following attributes should be defined:
582
583.. attribute:: PasswordHash.max_salt_size
584
585    The maximum number of bytes/characters allowed in the salt.
586    Should either be a positive integer, or ``None`` (indicating
587    the algorithm has no effective upper limit).
588
589.. attribute:: PasswordHash.min_salt_size
590
591    The minimum number of bytes/characters required for the salt.
592    Must be an integer between 0 and :attr:`PasswordHash.max_salt_size`.
593
594.. attribute:: PasswordHash.default_salt_size
595
596    The default salt size that will be used when generating a salt,
597    assuming ``salt_size`` is not set explicitly. This is typically
598    the same as :attr:`max_salt_size`,
599    or a sane default if ``max_salt_size=None``.
600
601.. attribute:: PasswordHash.salt_chars
602
603    A unicode string containing all the characters permitted
604    in a salt string.
605
606    For most :ref:`modular-crypt-format` hashes,
607    this is equal to :data:`passlib.utils.binary.HASH64_CHARS`.
608    For the rare hashes where the ``salt`` parameter must be specified
609    in bytes, this will be a placeholder :class:`!bytes` object containing
610    all 256 possible byte values.
611
612..
613    not yet documentated, want to make sure this is how we want to do things:
614
615    .. attribute:: PasswordHash.default_salt_chars
616
617        sequence of characters used to generate new salts.
618        this is typically the same as :attr:`PasswordHash.salt_chars`, but some
619        hashes accept a larger-than-useful range, and this will
620        contain only the "common" values used for generation.
621
622.. _rounds-attributes:
623
624Rounds Information Attributes
625=============================
626For schemes which support a variable time-cost parameter,
627``"rounds"`` should be listed in their :attr:`PasswordHash.setting_kwds`,
628and the following attributes should be defined:
629
630.. attribute:: PasswordHash.max_rounds
631
632    The maximum number of rounds the scheme allows.
633    Specifying a value beyond this will result in a :exc:`ValueError`.
634    This will be either a positive integer, or ``None`` (indicating
635    the algorithm has no effective upper limit).
636
637.. attribute:: PasswordHash.min_rounds
638
639    The minimum number of rounds the scheme allows.
640    Specifying a value below this will result in a :exc:`ValueError`.
641    Will always be an integer between 0 and :attr:`PasswordHash.max_rounds`.
642
643.. attribute:: PasswordHash.default_rounds
644
645    The default number of rounds that will be used if none is explicitly
646    provided to :meth:`PasswordHash.hash`.
647    This will always be an integer between :attr:`PasswordHash.min_rounds`
648    and :attr:`PasswordHash.max_rounds`.
649
650.. attribute:: PasswordHash.rounds_cost
651
652    While the cost parameter ``rounds`` is an integer, how it corresponds
653    to the amount of time taken can vary between hashes. This attribute
654    indicates the scale used by the hash:
655
656    * ``"linear"`` - time taken scales linearly with rounds value
657      (e.g. :class:`~passlib.hash.sha512_crypt`)
658    * ``"log2"`` - time taken scales exponentially with rounds value
659      (e.g. :class:`~passlib.hash.bcrypt`)
660
661.. todo:: document the additional :meth:`PasswordHash.using` keywords
662   available for setting rounds limits.
663
664..
665    todo: haven't decided if this is how I want the api look before
666    formally publishing it in the documentation:
667
668    .. _password-hash-backends:
669
670    Multiple Backends
671    =================
672    .. note::
673
674        For the most part, applications will not need this interface,
675        outside of perhaps calling the :meth:`PasswordHash.get_backend`
676        to determine which the active backend.
677
678    Some hashes provided by Passlib have multiple backends which they
679    select from at runtime, to provide the fastest implementation available.
680    Algorithms which offer multiple backends will expose the following
681    methods and attributes:
682
683    .. attribute:: PasswordHash.backends
684
685        Tuple listing names of potential backends (which may or may not be available).
686        If this attribute is not present, the hash does not support
687        multiple backends.
688
689        While the names of the backends are specific to the hash algorithm,
690        the following standard names may be present:
691
692        * ``"os_crypt"`` - backend which uses stdlib's :mod:`!crypt` module.
693          this backend will not be available if the underlying host OS
694          does not support the particular hash algorithm.
695
696        * ``"builtin"`` - backend using pure-python implementation built into
697          Passlib. All hashes will have this as their last backend, as a fallback.
698
699    .. method:: PasswordHash.get_backend()
700
701        This method should return the name of the currently active backend
702        that will be used by :meth:`PasswordHash.hash` and :meth:`PasswordHash.verify`.
703
704        :raises passlib.exc.MissingBackendError:
705            in the rare case that *no* backends can be loaded.
706
707    .. method:: PasswordHash.has_backend(backend)
708
709        This method can be used to test if a specific backend is available.
710        Returns ``True`` or ``False``.
711
712    .. method:: PasswordHash.set_backend(backend)
713
714        This method can be used to select a specific backend.
715        The ``backend`` argument must be one of the backends listed
716        in :attr:`PasswordHash.backends`, or the special value ``"default"``.
717
718        :raises passlib.exc.MissingBackendError:
719            if the specified backend is not available.
720