id,summary,reporter,owner,description,type,status,component,version,severity,resolution,keywords,cc,stage,has_patch,needs_docs,needs_tests,needs_better_patch,easy,ui_ux 18144,MD5PasswordHasher: broken backwards compatibility with empty salt,apreobrazhensky@…,nobody,"In our project we stored unsalted MD5 passwords in format: ""md5$$"". In Django 1.3 django.contrib.auth.check_password(...) coped well with such format. In Django 1.4 trying to check such password fails with assertion in django.contrib.auth.hashers.MD5PasswordHasher.encode(...) {{{ Traceback (most recent call last): File ""/home/admin/sites/env/local/lib/python2.7/site-packages/django/core/handlers/base.py"", line 111, in get_response response = callback(request, *callback_args, **callback_kwargs) File ""/home/admin/sites/fxstart-production/source/apps/accounts/decorators.py"", line 17, in _wrapped_view return view_func(request, *args, **kwargs) File ""/home/admin/sites/fxstart-production/source/apps/dashboard_personal/views.py"", line 57, in view_change_password if form.save(): File ""/home/admin/sites/fxstart-production/source/apps/dashboard_personal/forms/change_password.py"", line 129, in save if not self.account.check_withdraw_password(current_password): File ""/home/admin/sites/fxstart-production/source/apps/accounts/models.py"", line 184, in check_withdraw_password return check_password(raw_password, self.withdraw_password) File ""/home/admin/sites/env/local/lib/python2.7/site-packages/django/contrib/auth/hashers.py"", line 45, in check_password is_correct = hasher.verify(password, encoded) File ""/home/admin/sites/env/local/lib/python2.7/site-packages/django/contrib/auth/hashers.py"", line 319, in verify encoded_2 = self.encode(password, salt) File ""/home/admin/sites/env/local/lib/python2.7/site-packages/django/contrib/auth/hashers.py"", line 312, in encode assert salt and '$' not in salt AssertionError }}} As you can see from the code, salt variable is asserted, which means AssertionError is raised every time salt is empty string. Is this intended behavior? (which means we have to regenerate our password's database or workaround it via replacing hashes like ""md5$$"" to """" before calling check_password)",Bug,closed,contrib.auth,1.4,Release blocker,fixed,MD5PasswordHasher check_password salt,slav0nic0@… carsten.fuchs@…,Accepted,1,0,0,1,0,0