bisHash is a lightweight Python module for secure password hashing using Argon2 with additional peppering, strong password validation, and built-in rate-limiting to protect against brute-force and abuse in login or signup flows.
- This is an prototype, demonstration purposes omnly
- In-memory tracking is used for failed attempts. Replace with persistent storage (like Redis) for production.
- The internal
PEPPERshould ideally be loaded from an environment variable in secure environments.
pip install bisHash- ✅ Argon2-based Password Hashing with a pepper
- 🔐 Strong Password Strength Validation
- 🚫 Rate Limiting for signup attempts per IP
- 🔒 Account Lockout for repeated failed login attempts
- 🧠 In-memory tracking of attempts per identifier or IP
from bisHash import bis_hash, TooManyAttemptsError
try:
hash = bis_hash(ip="192.168.1.100", identifier="user@example.com", password="StrongPass!23")
except TooManyAttemptsError:
print("Too many signup attempts. Please try again later.")from bisHash import verify_password
# After retrieving the stored hash from your DB:
is_valid = verify_password(stored_hash, "user@example.com", "StrongPass!23")
if is_valid:
print("Login successful")
else:
print("Login failed or account is locked.")from bisHash import is_strong_password
ok, message = is_strong_password("Weakpass123")
print(message)Returns a tuple (bool, message) indicating password strength.
Returns a secure hash of the password. Enforces rate limiting. Raises TooManyAttemptsError if attempts exceed the allowed limit per IP.
Verifies a given password against the stored hash and applies login lockout rules.
Raised if the rate limit is exceeded (e.g., too many signup attempts).
- ✅ Password minimum length: 12 characters
- ✅ Required characters: uppercase, lowercase, digit, special
- 🚫 Signup limit: 5 attempts per IP per 10 minutes
- 🔒 Login lockout: 5 failed attempts per 10 minutes
MIT — Free to use, modify, and distribute.