id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
4151	Patch to add support for more secure password hashes in Python 2.5 or newer	Nick Efford <nick@…>	nobody	"Django currently uses the {{{sha}}} module from the standard library to compute the SHA-1 hash of a password.  Developers with particular concerns about security may prefer to use a stronger, more secure hashing algorithm such as SHA-256.  Such algorithms are available in the standard library as of Python 2.5, via the {{{hashlib}}} module.

This patch modifies {{{django.contrib.auth.models}}} in two ways.  First, it adds support for {{{hashlib}}} and the SHA-224, SHA-256 and SHA-384 algorithms to the {{{check_password}}} function.  (For SHA-512 to be supported, the {{{password}}} field of the {{{User}}} model would need to be lengthened.)  Second, it modifies the {{{set_password}}} method of the {{{User}}} model to use SHA-256 by default for password hashing, falling back on the {{{sha}}} module if {{{hashlib}}} cannot be imported.

doctests for the {{{check_password}}} function are included with the patch."		closed	Contrib apps	dev		duplicate	authentication, password, hash		Design decision needed	1	0	0	1	0	0