id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
34661	Peppering user passwords	Fatih Erikli	nobody	"Currently a user's password stored in database in this format:

> <algorithm>$<iterations>$<salt>$<hash>

The salt is a random generated string per user. Hash (Last column) is the password hashed with the stored in previous column.

Example, these are two computed passwords, stored on database, for the same password of two users.

> pbkdf2_sha256$600000$fb9cUsHWK4EMZ7VWGBAcGD$2uwiVefFwanIhxLrv+/t3sKvP4X6tDKEMw/ysHD5dIc=
> pbkdf2_sha256$600000$HgWHWrF2qQD9Owj4XeEkjY$rh0qzfo+/ZCzWbL9ZJa8aKhiO5xoEMfT4EtP/+A+LzI=

The password is **123456**.

Imagine I am an attacker, who got the database of different django project, I want to look up the users who have the chosen the password 123456.

I have the salts of users stored in database.

> make_password('123456', 'fb9cUsHWK4EMZ7VWGBAcGD')
> pbkdf2_sha256$600000$fb9cUsHWK4EMZ7VWGBAcGD$2uwiVefFwanIhxLrv+/t3sKvP4X6tDKEMw/ysHD5dIc=

> make_password('123456', 'HgWHWrF2qQD9Owj4XeEkjY')
> pbkdf2_sha256$600000$HgWHWrF2qQD9Owj4XeEkjY$rh0qzfo+/ZCzWbL9ZJa8aKhiO5xoEMfT4EtP/+A+LzI=

These are correct password combinations. I am able to lookup the users who have their passwords exposed in public.

There is one more element needed for hashing the password, **pepper**, should be django project specific. Even when a database is exposed, the attacker will not be able to lookup the known passwords, since they don't have the secret pepper key.
"	Uncategorized	new	contrib.auth	4.2	Normal				Unreviewed	0	0	0	0	0	0