id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
34661	Peppering user passwords	Fatih Erikli	nobody	"Currently a user's password stored in database in this format:

> <algorithm>$<iterations>$<salt>$<hash>

Hash (Last column) is the password hashed with the salt in previous column.

Example, these are two computed passwords, stored on database, for the same password of two users.

> pbkdf2_sha256$600000$fb9cUsHWK4EMZ7VWGBAcGD$2uwiVefFwanIhxLrv+/t3sKvP4X6tDKEMw/ysHD5dIc=
> pbkdf2_sha256$600000$HgWHWrF2qQD9Owj4XeEkjY$rh0qzfo+/ZCzWbL9ZJa8aKhiO5xoEMfT4EtP/+A+LzI=

The password is **123456**.

Imagine I am an attacker, who got the database of different django project, I want to look up the users who have chosen the password 123456.

I have the salts of users stored in database.

> make_password('123456', 'fb9cUsHWK4EMZ7VWGBAcGD')
> pbkdf2_sha256$600000$fb9cUsHWK4EMZ7VWGBAcGD$2uwiVefFwanIhxLrv+/t3sKvP4X6tDKEMw/ysHD5dIc=

> make_password('123456', 'HgWHWrF2qQD9Owj4XeEkjY')
> pbkdf2_sha256$600000$HgWHWrF2qQD9Owj4XeEkjY$rh0qzfo+/ZCzWbL9ZJa8aKhiO5xoEMfT4EtP/+A+LzI=

These are correct password combinations. I am able to lookup the users who have their passwords exposed in public.

Password **123456** is not a possible case in Django, since the password fields have a complexity validation. However, the salt is available to the attacker when a database is stolen. Salt could be used

- to hash the raw password pair in a rainbow table.
- to hash the already exposed passwords.

There is one more element needed for hashing the password, **pepper**, should be project specific. When a database is exposed in public, the attacker will not be able to lookup the passwords, since they don't have the secret pepper key.

I am not sure about the vulnerability enumeration, but CWE-760 seems closer. Salt is not weak, but it is known. The salt is stored next to the hashed password.

This is a case of when a database is stolen, however I think Django, by default, should do everything that could be done at the framework level to keep the user information secured.
"	New feature	closed	contrib.auth	4.2	Normal	duplicate			Unreviewed	0	0	0	0	0	0