Opened 8 years ago

Closed 8 years ago

#26187 closed Cleanup/optimization (fixed)

Remove weak password hashers from the default PASSWORD_HASHERS setting

Reported by: Tim Graham Owned by: Tim Graham
Component: contrib.auth Version: dev
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


As discussed on django-developers, removing weak password hashers may be too invasive at this time (particularly for projects integrating with a legacy database), but if we remove weak hashers from the defaults, users will at least be forced to acknowledge that they want to use a weak hasher.

Change History (6)

comment:1 by Tim Graham, 8 years ago

Owner: changed from nobody to Tim Graham
Status: newassigned

comment:2 by Tim Graham, 8 years ago

Has patch: set

comment:3 by Claude Paroz, 8 years ago

Looking at a rather old app of mine with many users, I see that the only weak hasher still used is salted SHA1. Just wondering if this is simply an isolated example or if this matches the experience of many other projects. In the latter case, we might consider letting this hasher for the next one or two versions. Apart from that question, the patch looks good.

comment:4 by Tim Graham, 8 years ago

Thanks Claude, I raised your concern on the mailing list thread.

comment:5 by Tim Graham, 8 years ago

As noted on the mailing list, I did a little experiment and cracked about 10% of the SHA1 password hashes in the database in minutes on my several year old PC. I think that's sufficiently weak to warrant its removal from the defaults.

comment:6 by Tim Graham <timograham@…>, 8 years ago

Resolution: fixed
Status: assignedclosed

In 47b5a6a:

Fixed #26187 -- Removed weak password hashers from PASSWORD_HASHERS.

Note: See TracTickets for help on using tickets.
Back to Top