id,summary,reporter,owner,description,type,status,component,version,severity,resolution,keywords,cc,stage,has_patch,needs_docs,needs_tests,needs_better_patch,easy,ui_ux 14827,Authentication Backends should be responsible for checking and setting passwords,andornaut,nobody,"== Background & Reasoning == This feature request arose when trying to change the default hash algorithm from SHA1 to MD5. The `django.contrib.auth.models.User.set_password()` method assumes sha1. This method is called in a number of places, such as `SetPasswordForm.save()` and `UserCreationForm.save()`. User can be subclassed and set_password is overridden, but this change would be intrusive, because the new User Type would have to be substituted in several built-in views and in other places. == Suggested Solution == Instead, the scope of the authentication backend should be expanded to handle checking and setting passwords. Since multiple backends are supported, the first one in the list will take on these responsibilities. Here is an example of some of the potential changes, for illustrative purposes: {{{ #!python # django.contrib.auth.backends.py def get_authoritative_backend(): # The first backend is responsible for checking and setting passwords return settings.AUTHENTICATION_BACKENDS[0] # django.contrib.auth.models.User def set_password(self, raw_password): backend = django.contrib.auth.backends.get_authoritative_backend() backend.set_password(self, raw_password) def check_password(self, raw_password): backend = django.contrib.auth.backends.get_authoritative_backend() return backend.set_password(self, raw_password) }}} The advantage of this approach is that it allows for arbitrary hashing algorithms to be used, and it enables the rest of the system to be unaware and unaffected by these particulars.",New feature,closed,contrib.auth,1.2,Normal,fixed,,David Reynolds,Someday/Maybe,0,0,0,0,0,0