Opened 5 years ago

Closed 4 years ago

Last modified 4 years ago

#24115 closed New feature (fixed)

Bcrypt hashers don't implement must_update

Reported by: Alex Rothberg Owned by: nobody
Component: contrib.auth Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Alex Rothberg)

If the number of rounds is changed for the bcrypt hashers it does not appear that the must_update will ever return True. This is because the default implementation is used.

For comparison, see passlib which does in fact perform migrations for bcrypt.

Change History (9)

comment:1 Changed 5 years ago by Alex Rothberg

Description: modified (diff)

comment:2 Changed 5 years ago by Alex Rothberg

Description: modified (diff)

comment:3 Changed 5 years ago by Tim Graham

Cc: Florian Apolloner added
Component: Uncategorizedcontrib.auth

Seems reasonable, but just would like Florian to confirm this wasn't an intentional omission in 7d0d0dbf26a3c0d16e9c2b930fd6d7b89f215946.

comment:4 in reply to:  3 Changed 5 years ago by Florian Apolloner

Replying to timgraham:

Seems reasonable, but just would like Florian to confirm this wasn't an intentional omission in 7d0d0dbf26a3c0d16e9c2b930fd6d7b89f215946.

It was intentional, I think Alex was against it, not sure why anymore…

comment:5 Changed 5 years ago by Tim Graham

Cc: Alex Gaynor Tim Graham added

comment:6 Changed 5 years ago by Tim Graham

Cc: Florian Apolloner Alex Gaynor Tim Graham removed
Triage Stage: UnreviewedAccepted

Alex says, "I'm definitely not against bcrypt implementing must_upgrade."

comment:7 Changed 5 years ago by Tim Graham

Has patch: set
Type: BugNew feature

comment:8 Changed 4 years ago by Tim Graham <timograham@…>

Resolution: fixed
Status: newclosed

In b86abbce:

Fixed #24115 -- Allowed bcrypt hashers to upgrade passwords on rounds change.

Thanks Florian Apolloner for the review.

comment:9 Changed 4 years ago by Tim Graham <timograham@…>

In cb1e779:

Refs #24115 -- Added docs for password updates on bcrypt rounds change.

Note: See TracTickets for help on using tickets.
Back to Top