Hi Tim,
A few notes here:
Just as
djangoproject.com might need to keep those old hashers around, many projects will need it as well.
As such, providing the hashers in a dedicated "legacy" package might be the solution for most projects.
For the deprecation process, I think the needs of most sites would be:
1) Find out how many accounts use deprecated hashes, and when they last logged in
2) Based on that information, decide which hashers can be removed, and which accounts need to have their password
reset.
Do you think this should be provided as a management command (useful as Django improves its hashers over the years),
or simply as a few code snippets in the release notes?
Finally, I suggest that the "no-op test hasher" retains some properties of the usual hashers, mainly "password is
transformed" and "any length is accepted".
Indeed, I have seen many issues with developers using ``user.password = 'foo'`` instead of going through
``user.set_password``; which is quickly discovered when going through the usual test setup.
Also, some users test for arbitrarily long passwords, which are perfectly fine with normal hashers and shouldn't thus
fail in a test setup due to a "no-op cleartext hasher".
If you're interested, I can provide some help with the deprecation documentation and no-op code in the next few days,
depending of which options you choose to go with.
--
Raphaël
On Wed, 3 Feb 2016 12:26:00 -0800 (PST)
Tim Graham <
timog...@gmail.com> wrote:
> Acknowledged Donald, I just didn't want to bite off too much at once.
>
> I think the unsalted hashers removal could be done as a
> backwards-incompatible change. I wrote up some documentation including
> queries to check if your database is affected:
>
https://github.com/django/django/pull/6082
> I'll be curious to know if anyone has a project that started in the Django
> 0.90 era which returns some results for those queries.
>
> About removing the SHA1PasswordHasher, MD5PasswordHasher, and/or
> CryptPasswordHasher -- I suspect many more users will be affected, so the
> normal deprecation process seems appropriate. To give an example, 8,484
> (64%) of the passwords for
djangoproject.com users are SHA1. If the SHA1
> hasher is deprecated, what would we do? Options I can think of:
>
> 1. copy the hasher into the
djangoproject.com source
> 2. release the legacy hashers as a separate package for those projects that
> need them
> 3. mark old passwords as unusable and force a reset if one of those users
> comes back
>
> The max "last login" for a user with a SHA1 hash is February 2013.
>
> Also, the MD5PasswordHasher is suggested in the documentation as a way to
> speed up tests so we would need to change that, whether it's force_login()
> or some new "no-op test hasher" .
>
> On Tuesday, February 2, 2016 at 2:20:44 PM UTC-5, Donald Stufft wrote:
> >
> >
> > On Feb 2, 2016, at 1:52 PM, Tim Graham <
timog...@gmail.com <javascript:>>