Disable "Password Upgrading"?
15 views
Skip to first unread message
Kurtis
May 14, 2013, 6:05:08 PM5/14/13
to django...@googlegroups.com
As per this document:
Django will upgrade all existing passwords to use the 'preferred' algorithm. Two questions:
1. What is the 'preferred' algorithm? Is this set by Django? Or is this simply the hasher at the top (or bottom) of the PASSWORD_HASHERS tuple?
2. How can I disable or otherwise bypass this feature? The database I am working with is shared with an older code-base and until we migrate the other components, I"d rather not "upgrade" the existing password hashes.
Thanks!
- Kurtis
Kurtis Mullins
May 16, 2013, 7:06:36 PM5/16/13
to django...@googlegroups.com
It took some digging but I believe I found the answer, just in case anyone else comes across this problem. I'll post again after I've tested this.
- Kurtis--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
Kurtis Mullins
May 16, 2013, 7:57:10 PM5/16/13
to django...@googlegroups.com
I didn't get around to testing the mentioned location of changing the password_hasher. After further investigation, I realized that the password hashes use a static hash and I was using a dynamic (per-user) hash.
Just in case anyone runs into this problem (non-static Hash):
My solution was to by-pass the existing authentication system all-together. I already had a custom User Model which sub-classed AbstractBaseUser. I simply overrode (sp?) the set_password and check_password methods to do the password checking on the spot; without delegating to django.contrib.auth.hashers
The reasoning behind this solution is that I ran out of time attempting to track down a method of passing my per-user value to be included in the Hash.
The reasoning behind this solution is that I ran out of time attempting to track down a method of passing my per-user value to be included in the Hash.
WARNING: This may not be a great idea. I haven't ran unit tests to see what sort of problems this will bring. Possibly none; I don't know until I do. Either way, I still believe the standard process-validation approach should be taken in case one needs to upgrade passwords or has multiple hash algorithms they want to use. I'm sure this work-around could be cleaned up to fall-back on the Django approach when needed. Either way, it feels clumsy and I'm sure there's a better way. Your mileage may very.
Reply all
Reply to author
Forward
0 new messages