id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
37078	Change default algorithm of salted_hmac() from SHA-1 to SHA-256	Denny Biasiolli	Denny Biasiolli	"The `salted_hmac()` function (`crypto.py:19`) defaults to `algorithm=""sha1""`. While HMAC-SHA1 is not cryptographically broken (HMAC construction is resistant to collision attacks), SHA-1 is deprecated by NIST and modern security standards recommend SHA-256 or stronger for all new applications.

All security-sensitive callers within Django already override this default — `Signer` uses `sha256` (signing.py:193), `PasswordResetTokenGenerator` passes `sha256` explicitly, and session auth hashes use SHA-256. However, any third-party code or custom application calling `salted_hmac()` without specifying an algorithm will silently use SHA-1.

## Steps to Reproduce

1. In any Django project, call:
   ```python
   from django.utils.crypto import salted_hmac
   mac = salted_hmac(""my_salt"", ""my_value"")
   print(mac.digest_size)  # 20 bytes = SHA-1
   ```
2. Observe the HMAC uses SHA-1 without any explicit algorithm selection

## Expected Behavior

`salted_hmac()` should default to `""sha256""` to match modern cryptographic best practices and align with Django's own internal usage.

## Actual Behavior

`salted_hmac()` defaults to `algorithm=""sha1""` (line 19 of `crypto.py`)."	Cleanup/optimization	closed	Utilities	dev	Normal	fixed	security, crypto	Denny Biasiolli	Ready for checkin	1	0	0	0	0	0