id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 19043 Mutable Password Hash Strength Jason Buckner nobody "Django 1.4 introduced automatic conversion of passwords from one hashing algorithm to another. Some algorithms, notably Bcrypt and PBKDF2 can have different work factors and iterations. Currently there's no way to change the difficulty of the particular algorithm without subclassing it and writing your own hasher. Even then, it won't re-hash the password with the new difficulty. This patch adds two Django settings, {{{BCRYPT_ROUNDS}}} (as used in django-bcrypt) and {{{PBKDF2_ITERATIONS}}}, depending on your preferred algorithm. If you change these values, the next time {{{check_password()}}} is called when a user logs in, it will re-hash their password with the new difficulty. We did this by introducing an {{{is_current()}}} method in the {{{django.contrib.auth.hashers.BasePasswordHasher}}} that returns whether or not the hash matches the desired difficulty. For instance, in the {{{BCryptPasswordHasher}}}, we compare the {{{safe_summary['work factor']}}} against the {{{BCRYPT_ROUNDS}}} setting and if they differ, re-hash the password. There are also tests included." New feature closed contrib.auth dev Normal duplicate auth, bcrypt, pbkdf2 Accepted 1 1 0 1 0 0