Mutable Password Hash Strength
|Reported by:||Jason Buckner||Owned by:||nobody|
|Severity:||Normal||Keywords:||auth, bcrypt, pbkdf2|
|Has patch:||yes||Needs documentation:||yes|
|Needs tests:||no||Patch needs improvement:||yes|
Django 1.4 introduced automatic conversion of passwords from one hashing algorithm to another. Some algorithms, notably Bcrypt and PBKDF2 can have different work factors and iterations. Currently there's no way to change the difficulty of the particular algorithm without subclassing it and writing your own hasher. Even then, it won't re-hash the password with the new difficulty.
This patch adds two Django settings,
BCRYPT_ROUNDS (as used in django-bcrypt) and
PBKDF2_ITERATIONS, depending on your preferred algorithm. If you change these values, the next time
check_password() is called when a user logs in, it will re-hash their password with the new difficulty.
We did this by introducing an
is_current() method in the
django.contrib.auth.hashers.BasePasswordHasher that returns whether or not the hash matches the desired difficulty. For instance, in the
BCryptPasswordHasher, we compare the
safe_summary['work factor'] against the
BCRYPT_ROUNDS setting and if they differ, re-hash the password.
There are also tests included.