Opened 5 years ago

Closed 5 years ago

#26187 closed Cleanup/optimization (fixed)

Remove weak password hashers from the default PASSWORD_HASHERS setting

Reported by: Tim Graham Owned by: Tim Graham
Component: contrib.auth Version: dev
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

As discussed on django-developers, removing weak password hashers may be too invasive at this time (particularly for projects integrating with a legacy database), but if we remove weak hashers from the defaults, users will at least be forced to acknowledge that they want to use a weak hasher.

Change History (6)

comment:1 Changed 5 years ago by Tim Graham

Owner: changed from nobody to Tim Graham
Status: newassigned

comment:2 Changed 5 years ago by Tim Graham

Has patch: set

comment:3 Changed 5 years ago by Claude Paroz

Looking at a rather old app of mine with many users, I see that the only weak hasher still used is salted SHA1. Just wondering if this is simply an isolated example or if this matches the experience of many other projects. In the latter case, we might consider letting this hasher for the next one or two versions. Apart from that question, the patch looks good.

comment:4 Changed 5 years ago by Tim Graham

Thanks Claude, I raised your concern on the mailing list thread.

comment:5 Changed 5 years ago by Tim Graham

As noted on the mailing list, I did a little experiment and cracked about 10% of the SHA1 password hashes in the djangoproject.com database in minutes on my several year old PC. I think that's sufficiently weak to warrant its removal from the defaults.

comment:6 Changed 5 years ago by Tim Graham <timograham@…>

Resolution: fixed
Status: assignedclosed

In 47b5a6a:

Fixed #26187 -- Removed weak password hashers from PASSWORD_HASHERS.

Note: See TracTickets for help on using tickets.
Back to Top