Mutable Password Hash Strength
|Reported by:||jbuckner||Owned by:||nobody|
|Severity:||Normal||Keywords:||auth, bcrypt, pbkdf2|
|Has patch:||yes||Needs documentation:||yes|
|Needs tests:||no||Patch needs improvement:||yes|
Django 1.4 introduced automatic conversion of passwords from one hashing algorithm to another. Some algorithms, notably Bcrypt and PBKDF2 can have different work factors and iterations. Currently there's no way to change the difficulty of the particular algorithm without subclassing it and writing your own hasher. Even then, it won't re-hash the password with the new difficulty.
This patch adds two Django settings, BCRYPT_ROUNDS (as used in django-bcrypt) and PBKDF2_ITERATIONS, depending on your preferred algorithm. If you change these values, the next time check_password() is called when a user logs in, it will re-hash their password with the new difficulty.
We did this by introducing an is_current() method in the django.contrib.auth.hashers.BasePasswordHasher that returns whether or not the hash matches the desired difficulty. For instance, in the BCryptPasswordHasher, we compare the safe_summary['work factor'] against the BCRYPT_ROUNDS setting and if they differ, re-hash the password.
There are also tests included.
Change History (8)
Changed 4 years ago by jbuckner
comment:1 Changed 4 years ago by jbuckner
- Needs documentation unset
- Needs tests unset
- Patch needs improvement unset