Opened 8 years ago
Closed 8 years ago
#26187 closed Cleanup/optimization (fixed)
Remove weak password hashers from the default PASSWORD_HASHERS setting
| Reported by: | Tim Graham | Owned by: | Tim Graham |
|---|---|---|---|
| Component: | contrib.auth | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
As discussed on django-developers, removing weak password hashers may be too invasive at this time (particularly for projects integrating with a legacy database), but if we remove weak hashers from the defaults, users will at least be forced to acknowledge that they want to use a weak hasher.
Change History (6)
comment:1 by , 8 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 8 years ago
| Has patch: | set |
|---|
comment:3 by , 8 years ago
Looking at a rather old app of mine with many users, I see that the only weak hasher still used is salted SHA1. Just wondering if this is simply an isolated example or if this matches the experience of many other projects. In the latter case, we might consider letting this hasher for the next one or two versions. Apart from that question, the patch looks good.
comment:5 by , 8 years ago
As noted on the mailing list, I did a little experiment and cracked about 10% of the SHA1 password hashes in the djangoproject.com database in minutes on my several year old PC. I think that's sufficiently weak to warrant its removal from the defaults.
PR