Opened 4 years ago

Closed 4 years ago

#17777 closed Bug (fixed)

MD5PasswordHasher is not using salt

Reported by: gunnar@… Owned by: PaulM
Component: contrib.auth Version: 1.4-beta-1
Severity: Release blocker Keywords: MD5PasswordHasher MD5 salt login
Cc: mbt@… Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


Django 1.3.1:
In line 32 md5 passwort hash is calculated with salt.

 return md5_constructor(salt + raw_password).hexdigest()

Django 1.4 beta 1 uses md5 without salt:

 return hashlib.md5(password).hexdigest()

Verification of passwords from users of Django 1.3.1 with md5 password with salt is failing.
Therefore this users can't login anymore.

Change History (6)

comment:1 Changed 4 years ago by mbt

  • Cc mbt@… added
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

comment:2 Changed 4 years ago by aaugustin

  • Owner changed from nobody to PaulM
  • Triage Stage changed from Unreviewed to Accepted

comment:3 Changed 4 years ago by PaulM

  • Type changed from Uncategorized to Bug

This is related to the fact that we actually had 2 separate forms of MD5 hashing historically, and the md5 hasher in the patch only deals with one of them:

comment:4 Changed 4 years ago by PaulM

  • Resolution set to fixed
  • Status changed from new to closed

In [17604]:

Fixes #17777 and makes tests run again.

Adds a salted MD5 hasher for backwards compatibility.
Thanks gunnar@… for the report.

Also fixes a bug preventing the hasher tests from being run during
contrib tests.

comment:5 Changed 4 years ago by Hangya

  • Resolution fixed deleted
  • Status changed from closed to reopened

ReadOnlyPasswordHashWidget also needs to be changed to use unsalted_md5 here:

comment:6 Changed 4 years ago by PaulM

  • Resolution set to fixed
  • Status changed from reopened to closed

In [17681]:

Fixed #17777. Unsalted MD5 display widget correction.

Note: See TracTickets for help on using tickets.
Back to Top