Opened 5 years ago

Closed 4 years ago

#26033 closed New feature (fixed)

Add argon2 password hasher

Reported by: Tim Graham Owned by: nobody
Component: contrib.auth Version: master
Severity: Normal Keywords: 1.10
Cc: Adrian Moisey Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

argon2 is the winner of the Password Hashing Competition and there was no objections on the mailing list to adding it.

PR

Change History (11)

comment:1 Changed 5 years ago by Tim Graham

Needs documentation: set

Patch is missing documentation.

comment:2 Changed 5 years ago by Tim Graham

Needs documentation: unset

comment:3 Changed 5 years ago by Adrian Moisey

Cc: Adrian Moisey added

comment:4 Changed 5 years ago by Tim Graham

Patch needs improvement: set

Left a few more comments for improvement.

comment:5 Changed 4 years ago by Tim Graham

Patch needs improvement: unset

comment:6 Changed 4 years ago by Tim Graham <timograham@…>

Resolution: fixed
Status: newclosed

In b4250ea:

Fixed #26033 -- Added Argon2 password hasher.

comment:7 Changed 4 years ago by Tim Graham <timograham@…>

In e47b5225:

Refs #26033 -- Temporarily pinned argon2-cffi test requirement.

The latest version (16.1) is backwards-incompatible for Django.

comment:8 Changed 4 years ago by Tim Graham

Has patch: unset
Keywords: 1.10 added
Resolution: fixed
Status: closednew

As discussed on the original pull request, Bas will provide a patch for compatibility with argon2-cffi 16.1.

comment:9 Changed 4 years ago by Tim Graham

Has patch: set
Triage Stage: AcceptedReady for checkin

PR for Argon2 1.3 support.

comment:10 Changed 4 years ago by Tim Graham <timograham@…>

In a5033db:

Refs #26033 -- Added password hasher support for Argon2 v1.3.

The previous version of Argon2 uses encoded hashes of the form:

$argon2d$m=8,t=1,p=1$<salt>$<data>

The new version of Argon2 adds its version into the hash:

$argon2d$v=19$m=8,t=1,p=1$<salt>$<data>

This lets Django handle both version properly.

comment:11 Changed 4 years ago by Tim Graham

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.
Back to Top