Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#33793 closed New feature (wontfix)

Check for PASSWORD_HASHERS

Reported by: Francisco Couzo Owned by: nobody
Component: Core (System checks) Version:
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

I think it would be a good idea for the check command to check that PASSWORD_HASHERS[0] is not any of the insecure password hashers such as MD5PasswordHasher or SHA1PasswordHasher.

I can take care of implementing this if there's interest on this feature.

Change History (2)

comment:1 by Mariusz Felisiak, 3 years ago

Resolution: wontfix
Status: newclosed

Django keeps "weak" password hashers for support with legacy systems and speeding up the tests. Moreover they are not enabled by default, so you must add them explicitly to the PASSWORD_HASHERS. Folks that do this should be aware of their weakness. IMO there is not need for a new system check.

You can start a discussion on DevelopersMailingList if you don't agree.

Note: See TracTickets for help on using tickets.
Back to Top