Index: django/conf/global_settings.py
===================================================================
--- django/conf/global_settings.py	(revision 6573)
+++ django/conf/global_settings.py	(working copy)
@@ -333,6 +333,15 @@
 
 LOGIN_REDIRECT_URL = '/accounts/profile/'
 
+# The preferred hash algorithm for storing passwords
+# Acceptable values are 'crypt', 'md5', 'sha1', and 'bcrypt'
+# NOTE : 'crypt' and 'md5' are provided only for legacy integration
+PREFERRED_HASH = 'sha1'
+
+# The number of rounds determines the complexity of the bcrypt alg.
+# The work factor is 2**log_rounds, and the default is 12
+BCRYPT_LOG_ROUNDS = 12
+
 ###########
 # TESTING #
 ###########
Index: django/contrib/auth/models.py
===================================================================
--- django/contrib/auth/models.py	(revision 6573)
+++ django/contrib/auth/models.py	(working copy)
@@ -46,13 +46,49 @@
             return hashlib.sha1(salt + raw_password).hexdigest()
     raise ValueError("Got unknown password algorithm type in password.")
 
+def hash_password(raw_password, enc_password):
+    """
+    Returns a formatted hash of the user's password. 
+    """
+    if enc_password in ('crypt', 'md5', 'sha1', 'bcrypt'):
+        validating = False
+        algo = enc_password
+        algo_args = ''
+        hsh = ''
+    else:
+        validating = True
+        if enc_password[0] == '$':
+            algo, algo_args, hsh = enc_password[1:].split('$')
+        else:
+            algo, algo_args, hsh = enc_password.split('$')
+    if algo == 'bcrypt' or algo == '2' or algo == '2a':
+        try:
+            import bcrypt
+            if validating:
+                # If we are validating, use the hash in the provided password
+                salt = enc_password
+            else:
+                # If we are generating a new hash, we need to generate a salt
+                from django.conf import settings
+                salt = bcrypt.gensalt(settings.BCRYPT_LOG_ROUNDS)
+            return bcrypt.hashpw(raw_password, salt)
+        except ImportError:
+            raise ValueError('"bcrypt" password algorithm not supported in this environment')
+    else:
+        if validating:
+            salt = algo_args
+        else:
+            import random
+            salt = get_hexdigest(algo, str(random.random()), str(random.random()))[:5]
+        hsh = get_hexdigest(algo, salt, raw_password)
+        return '%s$%s$%s' % (algo, salt, hsh)
+
 def check_password(raw_password, enc_password):
     """
     Returns a boolean of whether the raw_password was correct. Handles
     encryption formats behind the scenes.
     """
-    algo, salt, hsh = enc_password.split('$')
-    return hsh == get_hexdigest(algo, salt, raw_password)
+    return enc_password == hash_password(raw_password, enc_password)
 
 class SiteProfileNotAvailable(Exception):
     pass
@@ -181,11 +217,13 @@
         return full_name.strip()
 
     def set_password(self, raw_password):
-        import random
-        algo = 'sha1'
-        salt = get_hexdigest(algo, str(random.random()), str(random.random()))[:5]
-        hsh = get_hexdigest(algo, salt, raw_password)
-        self.password = '%s$%s$%s' % (algo, salt, hsh)
+        """
+        Sets the users's password hash to a hash of raw_password. Handles
+        encryption formats behind the scenes.
+        """
+        from django.conf import settings
+        algo = settings.PREFERRED_HASH
+        self.password = hash_password(raw_password, algo)
 
     def check_password(self, raw_password):
         """
Index: docs/settings.txt
===================================================================
--- docs/settings.txt	(revision 6573)
+++ docs/settings.txt	(working copy)
@@ -225,6 +225,16 @@
 ``CommonMiddleware`` is installed (see the `middleware docs`_). See also
 ``PREPEND_WWW``.
 
+BCRYPT_LOG_ROUNDS
+-------------
+
+**New in Django development version**
+
+Default: ``12``
+
+The number of rounds determines the complexity of the ``bcrypt`` password
+hashing algorithm. The work factor is 2**BCRYPT_LOG_ROUNDS.
+
 CACHE_BACKEND
 -------------
 
@@ -678,6 +688,27 @@
 See `allowed date format strings`_. See also ``DATE_FORMAT``,
 ``DATETIME_FORMAT``, ``TIME_FORMAT`` and ``YEAR_MONTH_FORMAT``.
 
+PREFERRED_HASH
+----------
+
+**New in Django development version**
+
+Default: ``'sha1'``
+
+The default hash to use when saving new passwords. The hashtype is either
+``sha1`` (default), ``md5``, ``crypt`` or ``bcrypt`` -- the algorithm used to
+perform a one-way hash of the password.
+
+Note that the ``crypt`` method is only supported on platforms that have the
+standard Python ``crypt`` module available, and ``crypt`` support is only
+available in the Django development version. Likewise the ``bcrypt`` algorithm
+is supported only on platforms that have the standard Python ``bcrypt`` module
+available, and like ``crypt`` it is only supported in the development version.
+
+**Important Note** : ``md5`` and ``crypt`` are both deprecated algorithms that
+are maintained for legacy integration. New applications are recommended to use
+stronger algorithms like ``sha1`` (default) or ``bcrypt``.
+
 PREPEND_WWW
 -----------
 
Index: docs/authentication.txt
===================================================================
--- docs/authentication.txt	(revision 6573)
+++ docs/authentication.txt	(working copy)
@@ -218,13 +218,20 @@
 
 That's hashtype, salt and hash, separated by the dollar-sign character.
 
-Hashtype is either ``sha1`` (default), ``md5`` or ``crypt`` -- the algorithm
-used to perform a one-way hash of the password. Salt is a random string used
-to salt the raw password to create the hash. Note that the ``crypt`` method is
-only supported on platforms that have the standard Python ``crypt`` module
-available, and ``crypt`` support is only available in the Django development
-version.
+Hashtype is either ``sha1`` (default), ``md5``, ``crypt`` or ``bcrypt`` -- the
+algorithm used to perform a one-way hash of the password. Salt is a random
+string used to salt the raw password to create the hash. Note that the ``crypt``
+method is only supported on platforms that have the standard Python ``crypt``
+module available, and ``crypt`` support is only available in the Django
+development version. Likewise the ``bcrypt`` algorithm is supported only on
+platforms that have the standard Python ``bcrypt`` module available, and like
+``crypt`` it is only supported in the development version.
 
+You may change the default hash algorithm by changing the PREFERRED_HASH
+setting. Please note that ``md5`` and ``crypt`` are both deprecated algorithms
+that are maintained for legacy integration. New applications are recommended to
+use stronger algorithms like ``sha1`` (default) or ``bcrypt``.
+
 For example::
 
     sha1$a1976$a36cc8cbf81742a8fb52e221aaeab48ed7f58ab4