Opened 13 years ago
Closed 13 years ago
#17777 closed Bug (fixed)
MD5PasswordHasher is not using salt
Reported by: | Owned by: | Paul McMillan | |
---|---|---|---|
Component: | contrib.auth | Version: | 1.4-beta-1 |
Severity: | Release blocker | Keywords: | MD5PasswordHasher MD5 salt login |
Cc: | mbt@… | Triage Stage: | Accepted |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Django 1.3.1:
In django.contrib.auth.models.py line 32 md5 passwort hash is calculated with salt.
return md5_constructor(salt + raw_password).hexdigest()
Django 1.4 beta 1 uses md5 without salt:
return hashlib.md5(password).hexdigest()
Verification of passwords from users of Django 1.3.1 with md5 password with salt is failing.
Therefore this users can't login anymore.
Change History (6)
comment:1 by , 13 years ago
Cc: | added |
---|
comment:2 by , 13 years ago
Owner: | changed from | to
---|---|
Triage Stage: | Unreviewed → Accepted |
comment:3 by , 13 years ago
Type: | Uncategorized → Bug |
---|
comment:5 by , 13 years ago
Resolution: | fixed |
---|---|
Status: | closed → reopened |
ReadOnlyPasswordHashWidget also needs to be changed to use unsalted_md5 here:
https://code.djangoproject.com/browser/django/trunk/django/contrib/auth/forms.py#L32
Note:
See TracTickets
for help on using tickets.
This is related to the fact that we actually had 2 separate forms of MD5 hashing historically, and the md5 hasher in the patch only deals with one of them:
https://code.djangoproject.com/browser/django/branches/releases/1.3.X/django/contrib/auth/models.py#L268
https://code.djangoproject.com/browser/django/branches/releases/1.3.X/django/contrib/auth/models.py#L31