id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
35492	Replace call to User.set_password with make_password in authenticate	Natalia Bidart	nobody	"In the current implementation of `ModelBackend.authenticate()`, `set_password()` is invoked on an empty User model to conceal timing differences between existing and non-existing users, thereby preventing password timing attacks.
However, relying on `set_password()` in this context may lead to unintended consequences, given it is a public and overridable method of the model. The Security Team suggested to directly call `make_password()` instead to achieve the same desired timing effect."	Cleanup/optimization	closed	contrib.auth	dev	Normal	wontfix		אורי	Unreviewed	0	0	0	0	0	0