id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
37184	PBKDF2PasswordHasher no longer accepts password of type bytes	Johannes Leuschner		"Before 78fac1b0473ed8960ecd2a30aca4fa8420d150b8, `PBKDF2PasswordHasher` (which is the default hasher) used to accept a password of type `bytes` in `make_password` and `check_password`. After that commit, `force_str` is called on the password, raising a decoding error if the bytes are not valid UTF-8. The [https://github.com/django/django/blob/d01aaa5b1c8b89aedbcd9fbed497e4c69c72d0b1/django/utils/crypto.py#L86 pbkdf2 implementation] then actually converts back to `bytes`.

Minimal example:

{{{
from django.contrib.auth.hashers import make_password
make_password(b""\xc0"", hasher=""pbkdf2_sha256"")  # fails with DjangoUnicodeDecodeError
}}}

and also

{{{
from django.contrib.auth.hashers import make_password, check_password
encoded = make_password(b"""", hasher=""pbkdf2_sha256"")
check_password(b""\xc0"", encoded)  # fails with DjangoUnicodeDecodeError
}}}

A use-case for passing a password of type `bytes` is generated passwords/keys, which can be exposed to the user e.g. via base64 encoding. This maximizes password strength compared to only allowing valid UTF-8 characters, and generating random passwords with a restricted character set is not as straight-forward. Existing applications using passwords of type `bytes` now fail both at making and checking passwords.

Note that in the same commit `force_str` is also introduced to `MD5PasswordHasher`, but there it makes sense because `.encode()` has been called anyways, i.e. `bytes` was not supported before."	Bug	new	contrib.auth	6.0	Normal		PBKDF2 hasher password bytes UTF-8	Johannes Leuschner	Unreviewed	0	0	0	0	0	0