id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
19043	Mutable Password Hash Strength	Jason Buckner	nobody	"Django 1.4 introduced automatic conversion of passwords from one hashing algorithm to another. Some algorithms, notably Bcrypt and PBKDF2 can have different work factors and iterations. Currently there's no way to change the difficulty of the particular algorithm without subclassing it and writing your own hasher. Even then, it won't re-hash the password with the new difficulty.

This patch adds two Django settings, {{{BCRYPT_ROUNDS}}} (as used in django-bcrypt) and {{{PBKDF2_ITERATIONS}}}, depending on your preferred algorithm. If you change these values, the next time {{{check_password()}}} is called when a user logs in, it will re-hash their password with the new difficulty.

We did this by introducing an {{{is_current()}}} method in the {{{django.contrib.auth.hashers.BasePasswordHasher}}} that returns whether or not the hash matches the desired difficulty. For instance, in the {{{BCryptPasswordHasher}}}, we compare the {{{safe_summary['work factor']}}} against the {{{BCRYPT_ROUNDS}}} setting and if they differ, re-hash the password.

There are also tests included."	New feature	closed	contrib.auth	dev	Normal	duplicate	auth, bcrypt, pbkdf2		Accepted	1	1	0	1	0	0