id,summary,reporter,owner,description,type,status,component,version,severity,resolution,keywords,cc,stage,has_patch,needs_docs,needs_tests,needs_better_patch,easy,ui_ux 15367,Improved Auth Password Hashing,Paul Oswald,Paul McMillan,"As discussed on the django-developers mailing list, we aim to improve the default password hashing algorithm Django uses. This ticket will track the changes needed to upgrade the default algorithm to one more resistant to brute force attacks. This may include improvements ease allowing the developer to change the encryption used to a third party library wether that is by configuration or by decoupling the authentication code from the User model object. If you would like to help, please be familiar with the summary and decisions made in the following discussion at least starting from this message: http://groups.google.com/group/django-developers/browse_thread/thread/928ed5db00d5b1d8/919ce4798d30656a?#919ce4798d30656a Also be aware of the past issues surrounding this issue, specifically ticket:13969 which currently has existing code: ticket:3316 (Adding `crypt' to list of password hashes for legacy apps. - closed: fixed) ticket:5600 (Patch to enhance cryptography on django.contrib.auth - closed: wontfix) ticket:5787 (BCrypt password hashing support in Django - closed: duplicate) ticket:6028 (add compatibility with glibc2 MD5-based crypt passwords - new ) ticket:9101 (Improved salt generation for django.contrib.auth - closed: wontfix) ticket:9194 (Allow additional hashing algorithms for passwords - closed: duplicate) ticket:13969 (auth module should use longer salt for hashing - new) The plan at this point is to follow this path: * Django ships with PBKDF2 by default. This depends on SHA2 which should be python 2.5 compatible (due to hashlib being added in python 2.5) and PBKDF2 is short and simple enough that it could be included into the project. This satisfies NIST/US Gov requirements. * SHA1 is maintained for backwards compatibility * Salt size increased * Configurable settings for the number of hashing rounds to future-proof for faster hardware We can also Investigate simplified ways of allowing developers to upgrade the hashing library based on their requirements, however it is more important to get the default improved and that is where we should focus. ",New feature,closed,contrib.auth,,Release blocker,fixed,"password, hash, hashing, bcrypt, scrypt, pbkdf2, sha2, sha1",jtunney@… Paul Oswald Donald Stufft,Accepted,1,1,0,1,0,0