id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
5787	BCrypt password hashing support in Django	Erik Karulf	Erik Karulf	"'''About the ''bcrypt'' algorithm'''
 * The algorithm is designed to replace traditional password hashing algorithms by the OpenBSD group
 * The algorithm is significantly more secure than traditional crypt, md5 and sha1 hashing algorithms
 * The algorithm manages salt generation automatically 
 * The algorithm allows for user configurable levels of algorithm complexity, allowing the algorithm to grow in complexity to match growth in CPU speeds
 * Links:
   * OpenBSD Whitepaper on ''bcrypt'' : [http://www.openbsd.org/papers/bcrypt-paper.ps bcrypt-paper.ps]
   * py-bcrypt : [http://www.mindrot.org/projects/py-bcrypt/ project home page]
   * Review of password storage by Matasano security group: [http://www.matasano.com/log/958/enough-with-the-rainbow-tables-what-you-need-to-know-about-secure-password-schemes/ review]

'''About the patch'''
 * The patch introduces no backwards incompatible changes
 * The patch allows for use of the bcrypt algorithm iff the bcrypt module is available
 * The patch introduces two new settings : 
   * '''PREFERRED_HASH''' - The preferred hash algorithm for storing passwords (default: 'sha1')
   * '''BCRYPT_LOG_ROUNDS''' - The number of rounds determines the complexity of the bcrypt algorithm (default: 12)
 * The patch moves the encryption formats out of the user model entirely
 * The patch has been tested against Python 2.4 / OS X (10.4)
 * The patch updates the relevant documentation according to the style guidelines"		closed	Contrib apps	dev		duplicate	bcrypt hash password auth user		Unreviewed	1	0	0	0	0	0