#34017 closed Cleanup/optimization (fixed)
Mention that when using Argon2PasswordHasher, this means Argon2id gets used
| Reported by: | David Schultz | Owned by: | Ritik Soni |
|---|---|---|---|
| Component: | Documentation | Version: | 4.1 |
| Severity: | Normal | Keywords: | Argon2 Argon2id hashing algorithm password management |
| Cc: | Triage Stage: | Ready for checkin | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | yes | UI/UX: | no |
Description
In the documentation page on "Password management in Django", the section on Argon2 should mention that with the settings described there, the specific algorithm that gets actually used is the variant Argon2id. Namely, one should not have to look in another place to ascertain which precise algorithm gets used when one makes the changes described there (as it's quite important to know for sure that one will indeed be using Argon2id instead of any other variant out there).
Link to the documentation section concerned: https://docs.djangoproject.com/en/4.1/topics/auth/passwords/#using-argon2-with-django
Currently, the fact that Argon2id is indeed the default in Django (when using Argon2), is to my knowledge only mentioned here: https://docs.djangoproject.com/en/4.1/releases/3.2/
Change History (7)
comment:1 by , 2 years ago
| Triage Stage: | Unreviewed → Accepted |
|---|
comment:2 by , 2 years ago
| Easy pickings: | set |
|---|
comment:3 by , 2 years ago
Currently I can't familiarize myself with the steps necessary to prepare such a patch, so I would kindly ask you or someone else to do this. The text which I would propose is this, building upon your suggestion:
-
docs/topics/auth/passwords.txt
diff --git a/docs/topics/auth/passwords.txt b/docs/topics/auth/passwords.txt index ???..??? ???
a b Using Argon2 with Django 83 83 Argon2_ is the winner of the 2015 `Password Hashing Competition`_, a community 84 84 organized open competition to select a next generation hashing algorithm. It's 85 85 designed not to be easier to compute on custom hardware than it is to compute 86 on an ordinary CPU. 86 on an ordinary CPU. The default variant for the Argon2 password hasher is 87 Argon2id. 87 88 88 89 Argon2_ is not the default for Django because it requires a third-party 89 90 library. The Password Hashing Competition panel, however, recommends immediate 90 91 use of Argon2 rather than the other algorithms supported by Django. 91 92 92 To use Argon2 as your default storage algorithm, do the following:93 To use Argon2id as your default storage algorithm, do the following:
comment:4 by , 2 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
Agreed. Would you like to prepare a patch? It should be enough to mention
Argon2idin topics, e.g.docs/topics/auth/passwords.txt