Add scrypt password hasher
Currently django defaults to PBKDF2, with options (using third party libraries) for bcrypt and argon2 (and then a large number of legacy options that should be avoided).
When PBKDF2 was originally chosen as the default, it was selected because it was the most secure option that could reasonably be implemented in pure Python with the stdlib.
As of Python 3.6, scrypt is available in the stdlib. scrypt is also substantially more secure than PBKDF2, because it is memory hard. See https://www.tarsnap.com/scrypt/scrypt.pdf (page 14) for a table that assess the relative cost-to-brute-force of scrypt vs. PBKDF2 at the interactive latency.
For these reasons, I think it'd be appropriate for Django to include an scrypt based hasher, and even to default to it for new installations.
Change History
(12)
Summary: |
Offer an scrypt based password hasher → Add scrypt password hasher
|
Triage Stage: |
Unreviewed → Accepted
|
Cc: |
Anthony Wright added
|
Owner: |
changed from nobody to Anthony Wright
|
Status: |
new → assigned
|
Patch needs improvement: |
set
|
Needs documentation: |
set
|
Patch needs improvement: |
unset
|
Needs documentation: |
unset
|
Triage Stage: |
Accepted → Ready for checkin
|
Resolution: |
→ fixed
|
Status: |
assigned → closed
|
I should note, that while I can't make any commitments on behalf of a 3rd party, I think there's a reasonable chance this would qualify for a reward under Google's Patch Rewards program: https://www.google.com/about/appsecurity/patch-rewards/ (I have no affiliation with Google)
Link to the scrypt docs: https://docs.python.org/3/library/hashlib.html#hashlib.scrypt