Context Navigation

← Previous Ticket
Next Ticket →

#32275 closed New feature (fixed)

Add scrypt password hasher

Reported by:	Alex Gaynor	Owned by:	Anthony Wright
Component:	contrib.auth	Version:	dev
Severity:	Normal	Keywords:
Cc:	Anthony Wright	Triage Stage:	Ready for checkin
Has patch:	yes	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	no
Easy pickings:	no	UI/UX:	no
Pull Requests:	~~17342~~ merged, ~~13799~~ merged

Description ¶

Currently django defaults to PBKDF2, with options (using third party libraries) for bcrypt and argon2 (and then a large number of legacy options that should be avoided).

When PBKDF2 was originally chosen as the default, it was selected because it was the most secure option that could reasonably be implemented in pure Python with the stdlib.

As of Python 3.6, scrypt is available in the stdlib. scrypt is also substantially more secure than PBKDF2, because it is memory hard. See https://www.tarsnap.com/scrypt/scrypt.pdf (page 14) for a table that assess the relative cost-to-brute-force of scrypt vs. PBKDF2 at the interactive latency.

For these reasons, I think it'd be appropriate for Django to include an scrypt based hasher, and even to default to it for new installations.

Change History (12)

comment:1 by Alex Gaynor, 4 years ago

I should note, that while I can't make any commitments on behalf of a 3rd party, I think there's a reasonable chance this would qualify for a reward under Google's Patch Rewards program: https://www.google.com/about/appsecurity/patch-rewards/ (I have no affiliation with Google)

Link to the scrypt docs: https://docs.python.org/3/library/hashlib.html#hashlib.scrypt

comment:2 by Mariusz Felisiak, 4 years ago

Summary:	Offer an scrypt based password hasher → Add scrypt password hasher
Triage Stage:	Unreviewed → Accepted

comment:3 by Anthony Wright, 4 years ago

Cc:	Anthony Wright added
Owner:	changed from nobody to Anthony Wright
Status:	new → assigned

comment:4 by Anthony Wright, 4 years ago

Wrote scrypt function in crypto.py which uses the hashlib.scrypt function. Wrote ScryptPasswordHasher class in Hashers.py and added it as an option in global_settings. Currently working on tests.

comment:7 by Anthony Wright, 4 years ago

Has patch:	set

Last edited 4 years ago by Tim Graham (previous) (diff)

comment:8 by Tim Graham, 4 years ago

Patch needs improvement:	set

comment:9 by Mariusz Felisiak, 4 years ago

Needs documentation:	set
Patch needs improvement:	unset

comment:10 by Mariusz Felisiak, 4 years ago

Needs documentation:	unset
Triage Stage:	Accepted → Ready for checkin

comment:11 by Mariusz Felisiak <felisiak.mariusz@…>, 4 years ago

Resolution:	→ fixed
Status:	assigned → closed

In 1783b3c:

Fixed #32275 -- Added scrypt password hasher.

Co-authored-by: Mariusz Felisiak <felisiak.mariusz@…>

comment:12 by GitHub <noreply@…>, 17 months ago

In 90c75dc4:

Refs #32275 -- Added scrypt password hasher to PASSWORD_HASHERS setting docs.

comment:13 by Mariusz Felisiak <felisiak.mariusz@…>, 17 months ago

In d5b093a2:

[5.0.x] Refs #32275 -- Added scrypt password hasher to PASSWORD_HASHERS setting docs.

Backport of 90c75dc4f37bee19b7c3790519d187e38e293800 from main

comment:14 by Mariusz Felisiak <felisiak.mariusz@…>, 17 months ago

In 99dcba9:

[4.2.x] Refs #32275 -- Added scrypt password hasher to PASSWORD_HASHERS setting docs.

Backport of 90c75dc4f37bee19b7c3790519d187e38e293800 from main

Note: See TracTickets for help on using tickets.

Download in other formats:

Issues