Changes between Version 7 and Version 9 of Ticket #34661
- Timestamp:
- Jun 18, 2023, 5:15:59 PM (12 months ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #34661 – Description
v7 v9 24 24 These are correct password combinations. I am able to lookup the users who have their passwords exposed in public. 25 25 26 Password **123456** is not a possible case in Django, since the password fields have a complexity validation. However, the salt is available to the attacker when a database is stolen. Salt could be used 27 28 - to hash the raw password pair in a rainbow table. 29 - to hash the already exposed passwords. 30 26 31 There is one more element needed for hashing the password, **pepper**, should be django project specific. Even when a database is exposed, the attacker will not be able to lookup the known passwords, since they don't have the secret pepper key. 27 32 28 33 I am not sure about the vulnerability enumeration, however this cause CWE-760 even though salt is not weak, but it is known, when a database is exposed. Because the salt is stored next to the hashed password. 29 34 30 I think peppering passwords should be default behavior of django.35 This is a case of when a database is stolen, however I think Django, by default, should do everything that could be done at the framework level to keep the user information secured.