[Django] #33793: Check for PASSWORD_HASHERS

13 views
Skip to first unread message

Django

unread,
Jun 20, 2022, 7:52:11 AM6/20/22
to django-...@googlegroups.com
#33793: Check for PASSWORD_HASHERS
------------------------------------------------+------------------------
Reporter: Francisco Couzo | Owner: nobody
Type: New feature | Status: new
Component: Core (System checks) | Version:
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
------------------------------------------------+------------------------
I think it would be a good idea for the check command to check that
`PASSWORD_HASHERS[0]` is not any of the insecure password hashers such as
`MD5PasswordHasher` or `SHA1PasswordHasher`.

I can take care of implementing this if there's interest on this feature.

--
Ticket URL: <https://code.djangoproject.com/ticket/33793>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,
Jun 21, 2022, 2:51:30 AM6/21/22
to django-...@googlegroups.com
#33793: Check for PASSWORD_HASHERS
-------------------------------------+-------------------------------------

Reporter: Francisco Couzo | Owner: nobody
Type: New feature | Status: closed
Component: Core (System | Version:
checks) |
Severity: Normal | Resolution: wontfix

Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Mariusz Felisiak):

* status: new => closed
* resolution: => wontfix


Comment:

Django keeps "weak" password hashers for support with legacy systems and
[https://docs.djangoproject.com/en/stable/topics/testing/overview
/#password-hashing speeding up the tests]. Moreover they are not enabled
by [https://docs.djangoproject.com/en/stable/ref/settings/#password-
hashers default], so you must add them explicitly to the
`PASSWORD_HASHERS`. Folks that do this should be aware of their weakness.
IMO there is not need for a new system check.

You can start a discussion on DevelopersMailingList if you don't agree.

--
Ticket URL: <https://code.djangoproject.com/ticket/33793#comment:1>

Django

unread,
Jun 21, 2022, 11:31:34 AM6/21/22
to django-...@googlegroups.com
#33793: Check for PASSWORD_HASHERS
-------------------------------------+-------------------------------------
Reporter: Francisco Couzo | Owner: nobody
Type: New feature | Status: closed
Component: Core (System | Version:
checks) |
Severity: Normal | Resolution: wontfix
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by Tim Graham):

[https://groups.google.com/g/django-
developers/c/CBdwSCiDKwY/m/__KdkCs9JwAJ django-developers thread]

--
Ticket URL: <https://code.djangoproject.com/ticket/33793#comment:2>

Reply all
Reply to author
Forward
0 new messages