Patch to add support for more secure password hashes in Python 2.5 or newer
|Reported by:||Nick Efford <nick@…>||Owned by:||nobody|
|Severity:||Keywords:||authentication, password, hash|
|Cc:||Triage Stage:||Design decision needed|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||yes|
Django currently uses the sha module from the standard library to compute the SHA-1 hash of a password. Developers with particular concerns about security may prefer to use a stronger, more secure hashing algorithm such as SHA-256. Such algorithms are available in the standard library as of Python 2.5, via the hashlib module.
This patch modifies django.contrib.auth.models in two ways. First, it adds support for hashlib and the SHA-224, SHA-256 and SHA-384 algorithms to the check_password function. (For SHA-512 to be supported, the password field of the User model would need to be lengthened.) Second, it modifies the set_password method of the User model to use SHA-256 by default for password hashing, falling back on the sha module if hashlib cannot be imported.
doctests for the check_password function are included with the patch.
Change History (12)
comment:1 Changed 7 years ago by Nick Efford <nick@…>
- Needs documentation unset
- Needs tests unset
- Patch needs improvement unset
comment:2 Changed 7 years ago by Simon G. <dev@…>
- Triage Stage changed from Unreviewed to Design decision needed