id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 20079 Improve security of password reset tokens Jacob Erik Romijn " If SECRET_KEY remains secret, the admin/auth password reset functionality should be very secure. However, it is less secure if the SECRET_KEY is exposed, but could be improved. '''Risk''' Attacker could gain access to a staff or superuser account, which often gets you a very high level of access to information and ability to change/delete information. '''Difficulty''' Using the default reset token generator, the attacker would need to know: pk of admin - this is very easy to guess, since a superuser will often have pk=1, and other staff users have increasing IDs hashed password of user if this is set to ""!"", an unusable password, this is easy to guess otherwise almost impossible last login timestamp, truncated to second precision. An attacker who knows SECRET_KEY has a practical chance of success if there are admin users with no password set. This can happen if the 'createsuperuser' command is used in a script, or other situations. For such users, the last login timestamp is never updated, and will be the time the user was created on the system, and it's possible an attacker could have a good idea of this. If they know it to within 2 weeks, that's 1.2 million values to try, which is feasible over a network if they don't mind waiting. '''Solution''' The probability of attack here is pretty low, and requires knowledge of SECRET_KEY in the first place, but there is an easy way to improve it: add a load of alphanumeric entropy to the 'unusable password', so it is different in every case. An unusable password simply needs to start with ""!"", which makes it an impossible value for any of the hashers (old MD5 only has alphanumeric chars and not !, and new hashers all have $ in the value). " Bug closed contrib.auth dev Normal fixed dceu13 eromijn@… Ready for checkin 1 0 0 0 0 0