id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
18182	Raw password echoed on authentication if no hashing used	Daniel Roseman	Claude Paroz <claude@…>	"If a password is somehow created without being hashed - say by the developer setting `user.password` directly rather than via `set_password` - the `check_password` function wrongly assumes that the entire password is the hashing algorithm, and passes it to `get_hasher`, resulting in an error message which reveals the actual password:

{{{
>>> user = User.objects.create(username='foo', password='bar')
>>> authenticate(username='foo', password='bar')
...
ValueError: Unknown password hashing algorithm 'bar'. Did you specify it in the PASSWORD_HASHERS setting?
}}}

The bug is in `django.contrib.auth.hashers.check_password`, line 41, where it assumes that the result of `encoded.split('$', 1)[0]` will always be an algorithm, when in the above case it's the password itself.

Although the password shouldn't have been created in this way in the first place, the code in `check_password` should be more intelligent about whether or not it's found an algorithm name."	Bug	closed	contrib.auth	1.4	Normal	fixed		liokmkoil@… moritz.sichert@…	Accepted	1	0	0	0	0	0