id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 5787 BCrypt password hashing support in Django Erik Karulf Erik Karulf "'''About the ''bcrypt'' algorithm''' * The algorithm is designed to replace traditional password hashing algorithms by the OpenBSD group * The algorithm is significantly more secure than traditional crypt, md5 and sha1 hashing algorithms * The algorithm manages salt generation automatically * The algorithm allows for user configurable levels of algorithm complexity, allowing the algorithm to grow in complexity to match growth in CPU speeds * Links: * OpenBSD Whitepaper on ''bcrypt'' : [http://www.openbsd.org/papers/bcrypt-paper.ps bcrypt-paper.ps] * py-bcrypt : [http://www.mindrot.org/projects/py-bcrypt/ project home page] * Review of password storage by Matasano security group: [http://www.matasano.com/log/958/enough-with-the-rainbow-tables-what-you-need-to-know-about-secure-password-schemes/ review] '''About the patch''' * The patch introduces no backwards incompatible changes * The patch allows for use of the bcrypt algorithm iff the bcrypt module is available * The patch introduces two new settings : * '''PREFERRED_HASH''' - The preferred hash algorithm for storing passwords (default: 'sha1') * '''BCRYPT_LOG_ROUNDS''' - The number of rounds determines the complexity of the bcrypt algorithm (default: 12) * The patch moves the encryption formats out of the user model entirely * The patch has been tested against Python 2.4 / OS X (10.4) * The patch updates the relevant documentation according to the style guidelines" closed Contrib apps dev duplicate bcrypt hash password auth user Unreviewed 1 0 0 0 0 0