Opened 16 years ago
Closed 14 years ago
#9194 closed (duplicate)
Allow additional hashing algorithms for passwords
| Reported by: | David Cramer | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.auth | Version: | 1.0 |
| Severity: | Keywords: | ||
| Cc: | Gonzalo Saavedra | Triage Stage: | Design decision needed |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
A useful addition to the auth contrib application would be the ability to pass in additional hashing algorithms for the password.
e.g.
AUTH_PASSWORD_ALGORITHMS = {
'sha': 'django.contrib.auth.blah.ShaHashThing',
'md5': '...',
'myalgo': '...',
}
Change History (6)
comment:1 by , 16 years ago
| Cc: | added |
|---|
comment:2 by , 15 years ago
| Triage Stage: | Unreviewed → Design decision needed |
|---|
comment:3 by , 15 years ago
comment:4 by , 15 years ago
For us (and we monkey patched to do this) our reasoning was having old passwords which had a slightly different algorithm than the built-in md5 or sha1. We wanted to support those still, since they could be.
comment:5 by , 14 years ago
#6028 is somewhat related (adding compatibility with glibc MD5-based crypt shadow passwords).
comment:6 by , 14 years ago
| Resolution: | → duplicate |
|---|---|
| Status: | new → closed |
Dupe of #6028 and a lack of support for a more comprehensive pluggable backend for this use-case.
Note:
See TracTickets
for help on using tickets.
Repeating comments I made on django-dev:
Personally, I see this as a pretty low priority item, verging on wontfix. My usual position is that having more pluggable interfaces is a good thing, but in this case, IMHO, there isn't enough change and innovation in hashing algorithms to warrant a fully configurable interface for defining password hashes. There might even be an argument to _not_ make it configurable to discourage people from trying to write their own hashing algorithms.
contrib.auth currently supports MD5, SHA1 and crypt, which IMHO covers all the important bases. If you think there is an obvious candidate that is missing, I think I'd rather see us add specific support for that algorithm rather than a pluggable interface.