#27010 closed Cleanup/optimization (fixed)
Argon2PasswordHasher.encode() decodes underlying hash as UTF-8 instead of ASCII
Reported by: | Chris Foresman | Owned by: | nobody |
---|---|---|---|
Component: | contrib.auth | Version: | 1.10 |
Severity: | Normal | Keywords: | argon2, password, hasher |
Cc: | Triage Stage: | Accepted | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
The new Argon2PasswordHasher
returns a unicode
object in Python 2.7x, though argon2 itself returns only ASCII chars in its hash. Practically speaking this doesn't seem to cause a problem saving this value to a CharField
, but for consistency's sake it probably needs updated to decode('ascii')
instead of decode('utf-8')
as other password hashers do.
Compare:
PBKDF2: https://github.com/django/django/blob/1.10/django/contrib/auth/hashers.py#L259
Argon2: https://github.com/django/django/blob/1.10/django/contrib/auth/hashers.py#L326
See also argon2-cffi: https://github.com/hynek/argon2_cffi/blob/master/src/argon2/_password_hasher.py#L106
Change History (5)
comment:1 by , 8 years ago
Summary: | Argon2PassowrdHasher.encode() returns unicode instead of ascii → Argon2PasswordHasher.encode() returns unicode instead of ascii |
---|
comment:2 by , 8 years ago
Summary: | Argon2PasswordHasher.encode() returns unicode instead of ascii → Argon2PasswordHasher.encode() decodes underlying hash as UTF-8 instead of ASCII |
---|---|
Triage Stage: | Unreviewed → Accepted |
comment:3 by , 8 years ago
Type: | Bug → Cleanup/optimization |
---|
To be clear,
.decode('utf-8')
and.decode('ascii')
both return aunicode
object (in Py2,str
in Py3). The only difference is in how the bytes are interpreted when decoding. Decoding as UTF-8 expects non-ASCII characters in the bytestring to be encoded as UTF-8, decoding as ASCII will choke on any non-ASCII characters in the bytestring.Given that the underlying hasher will only generate strings containing ASCII characters anyway, there is zero functional difference here between
.decode('utf-8')
and.decode('ascii')
. It's still probably worth switching to the latter, for better clarity (to avoid people wondering what in the world the Argon2 hasher needs UTF-8 for).