id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
13969	auth module should use longer salt for hashing	Craig Younkins	nobody	"As noted here - http://www.pythonsecurity.org/wiki/django/#authentication - the current auth module uses 5 hexadecimal characters as a salt. This is equivalent to 20 bits (log base 2 of 16^5). See http://code.djangoproject.com/browser/django/tags/releases/1.2.1/django/contrib/auth/models.py#L240

PKCS5 v2.1 draft (http://www.rsa.com/rsalabs/node.asp?id=2127) recommends that a salt of at least 64 bits be used. This will strengthen the password scheme by increasing the time needed for dictionary attacks."	Cleanup/optimization	closed	contrib.auth	1.2	Normal	fixed	security		Accepted	1	0	0	1	0	0