Opened 5 years ago

Closed 5 years ago

#17777 closed Bug (fixed)

MD5PasswordHasher is not using salt

Reported by: gunnar@… Owned by: Paul McMillan
Component: contrib.auth Version: 1.4-beta-1
Severity: Release blocker Keywords: MD5PasswordHasher MD5 salt login
Cc: mbt@… Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


Django 1.3.1:
In line 32 md5 passwort hash is calculated with salt.

 return md5_constructor(salt + raw_password).hexdigest()

Django 1.4 beta 1 uses md5 without salt:

 return hashlib.md5(password).hexdigest()

Verification of passwords from users of Django 1.3.1 with md5 password with salt is failing.
Therefore this users can't login anymore.

Change History (6)

comment:1 Changed 5 years ago by Michael B. Trausch

Cc: mbt@… added
Needs documentation: unset
Needs tests: unset
Patch needs improvement: unset

comment:2 Changed 5 years ago by Aymeric Augustin

Owner: changed from nobody to Paul McMillan
Triage Stage: UnreviewedAccepted

comment:3 Changed 5 years ago by Paul McMillan

Type: UncategorizedBug

This is related to the fact that we actually had 2 separate forms of MD5 hashing historically, and the md5 hasher in the patch only deals with one of them:

comment:4 Changed 5 years ago by Paul McMillan

Resolution: fixed
Status: newclosed

In [17604]:

Fixes #17777 and makes tests run again.

Adds a salted MD5 hasher for backwards compatibility.
Thanks gunnar@… for the report.

Also fixes a bug preventing the hasher tests from being run during
contrib tests.

comment:5 Changed 5 years ago by Ronkay János Péter

Resolution: fixed
Status: closedreopened

ReadOnlyPasswordHashWidget also needs to be changed to use unsalted_md5 here:

comment:6 Changed 5 years ago by Paul McMillan

Resolution: fixed
Status: reopenedclosed

In [17681]:

Fixed #17777. Unsalted MD5 display widget correction.

Note: See TracTickets for help on using tickets.
Back to Top