Code

Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#5787 closed (duplicate)

BCrypt password hashing support in Django

Reported by: ekarulf Owned by: ekarulf
Component: Contrib apps Version: master
Severity: Keywords: bcrypt hash password auth user
Cc: Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

About the bcrypt algorithm

  • The algorithm is designed to replace traditional password hashing algorithms by the OpenBSD group
  • The algorithm is significantly more secure than traditional crypt, md5 and sha1 hashing algorithms
  • The algorithm manages salt generation automatically
  • The algorithm allows for user configurable levels of algorithm complexity, allowing the algorithm to grow in complexity to match growth in CPU speeds
  • Links:

About the patch

  • The patch introduces no backwards incompatible changes
  • The patch allows for use of the bcrypt algorithm iff the bcrypt module is available
  • The patch introduces two new settings :
    • PREFERRED_HASH - The preferred hash algorithm for storing passwords (default: 'sha1')
    • BCRYPT_LOG_ROUNDS - The number of rounds determines the complexity of the bcrypt algorithm (default: 12)
  • The patch moves the encryption formats out of the user model entirely
  • The patch has been tested against Python 2.4 / OS X (10.4)
  • The patch updates the relevant documentation according to the style guidelines

Attachments (1)

django-bcrypt.diff (6.7 KB) - added by ekarulf 7 years ago.
First revision of django-bcrypt patch

Download all attachments as: .zip

Change History (5)

Changed 7 years ago by ekarulf

First revision of django-bcrypt patch

comment:1 Changed 7 years ago by ekarulf

  • Needs documentation unset
  • Needs tests unset
  • Owner changed from erik@… to ekarulf
  • Patch needs improvement unset

comment:2 Changed 7 years ago by ubernostrum

  • Resolution set to duplicate
  • Status changed from new to closed

Feels like a more specific case of #5600; "add a specific algorithm" really is a subset of "improve the support for different algorithms".

comment:3 Changed 7 years ago by mtredinnick

By the way, this sort of patch is backwards incompatible: as soon as you start generating passwords that are only computable based on an optional model, the database can only be used with Django installations that have that model available. This removes the ability to move the database around easily. Django operates on a "batteries included" philosophy for exactly that reason: runs anywhere without lots of extra dependencies.

comment:4 Changed 7 years ago by ekarulf

I meant to say compatibility in the API sense and I apologize for the confusion. If a user were to change their default hash, install the bcrypt module, and then move their data to a new environment where bcrypt is not available, it would not allow their users to authenticate.

That said, this seems somewhat inconsistent with the decision in ticket #3316. The crypt module has the same dump/restore constraints and includes an additional constraint of restricting the operating system to unix environments. My goal is not to re-open the ticket nor be argumentative, but I am new to the django community and I am trying to get a sense of the framework.

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.