id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 4151 Patch to add support for more secure password hashes in Python 2.5 or newer Nick Efford nobody "Django currently uses the {{{sha}}} module from the standard library to compute the SHA-1 hash of a password. Developers with particular concerns about security may prefer to use a stronger, more secure hashing algorithm such as SHA-256. Such algorithms are available in the standard library as of Python 2.5, via the {{{hashlib}}} module. This patch modifies {{{django.contrib.auth.models}}} in two ways. First, it adds support for {{{hashlib}}} and the SHA-224, SHA-256 and SHA-384 algorithms to the {{{check_password}}} function. (For SHA-512 to be supported, the {{{password}}} field of the {{{User}}} model would need to be lengthened.) Second, it modifies the {{{set_password}}} method of the {{{User}}} model to use SHA-256 by default for password hashing, falling back on the {{{sha}}} module if {{{hashlib}}} cannot be imported. doctests for the {{{check_password}}} function are included with the patch." closed Contrib apps dev duplicate authentication, password, hash Design decision needed 1 0 0 1 0 0