[Django] #32275: Offer an scrypt based password hasher
Django
----------------------------------------+------------------------
Reporter: Alex Gaynor | Owner: nobody
Type: New feature | Status: new
Component: contrib.auth | Version: master
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
----------------------------------------+------------------------
Currently django defaults to PBKDF2, with options (using third party
libraries) for bcrypt and argon2 (and then a large number of legacy
options that should be avoided).
When PBKDF2 was originally chosen as the default, it was selected because
it was the most secure option that could reasonably be implemented in pure
Python with the stdlib.
As of Python 3.6, scrypt is available in the stdlib. scrypt is also
substantially more secure than PBKDF2, because it is memory hard. See
https://www.tarsnap.com/scrypt/scrypt.pdf (page 14) for a table that
assess the relative cost-to-brute-force of scrypt vs. PBKDF2 at the
interactive latency.
For these reasons, I think it'd be appropriate for Django to include an
scrypt based hasher, and even to default to it for new installations.
--
Ticket URL: <https://code.djangoproject.com/ticket/32275>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: Alex Gaynor | Owner: nobody
Type: New feature | Status: new
Component: contrib.auth | Version: master
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Alex Gaynor):
I should note, that while I can't make any commitments on behalf of a 3rd
party, I think there's a reasonable chance this would qualify for a reward
under Google's Patch Rewards program:
https://www.google.com/about/appsecurity/patch-rewards/ (I have no
affiliation with Google)
Link to the scrypt docs:
https://docs.python.org/3/library/hashlib.html#hashlib.scrypt
--
Ticket URL: <https://code.djangoproject.com/ticket/32275#comment:1>
Django
------------------------------+------------------------------------
Reporter: Alex Gaynor | Owner: nobody
Type: New feature | Status: new
Component: contrib.auth | Version: master
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Mariusz Felisiak):
* stage: Unreviewed => Accepted
--
Ticket URL: <https://code.djangoproject.com/ticket/32275#comment:2>
Django
Reporter: Alex Gaynor | Owner: Anthony Wright
Type: New feature | Status: assigned
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Anthony Wright):
* cc: Anthony Wright (added)
* owner: nobody => Anthony Wright
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/32275#comment:3>
Django
------------------------------+------------------------------------------
Reporter: Alex Gaynor | Owner: Anthony Wright
Type: New feature | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Anthony Wright):
Wrote scrypt function in crypto.py which uses the hashlib.scrypt function.
Wrote ScryptPasswordHasher class in Hashers.py and added it as an option
in global_settings. Currently working on tests.
--
Ticket URL: <https://code.djangoproject.com/ticket/32275#comment:4>
Django
------------------------------+------------------------------------------
Reporter: Alex Gaynor | Owner: Anthony Wright
Type: New feature | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Anthony Wright):
* has_patch: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/32275#comment:5>
Django
------------------------------+------------------------------------------
Reporter: Alex Gaynor | Owner: Anthony Wright
Type: New feature | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Mariusz Felisiak):
* has_patch: 1 => 0
Comment:
Please send PR via GitHub before marking this flag.
--
Ticket URL: <https://code.djangoproject.com/ticket/32275#comment:6>
Django
------------------------------+------------------------------------------
Reporter: Alex Gaynor | Owner: Anthony Wright
Type: New feature | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Anthony Wright):
* has_patch: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/32275#comment:7>
Django
------------------------------+------------------------------------------
Reporter: Alex Gaynor | Owner: Anthony Wright
Type: New feature | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Graham):
* needs_better_patch: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/32275#comment:8>
Django
------------------------------+------------------------------------------
Reporter: Alex Gaynor | Owner: Anthony Wright
Type: New feature | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Mariusz Felisiak):
* needs_better_patch: 1 => 0
* needs_docs: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/32275#comment:9>
Django
Reporter: Alex Gaynor | Owner: Anthony
| Wright
Type: New feature | Status: assigned
Component: contrib.auth | Version: dev
Severity: Normal | Resolution:
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Mariusz Felisiak):
* needs_docs: 1 => 0
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/32275#comment:10>
Django
-------------------------------------+-------------------------------------
Reporter: Alex Gaynor | Owner: Anthony
| Wright
Component: contrib.auth | Version: dev
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Mariusz Felisiak <felisiak.mariusz@…>):
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"1783b3cb24cdefd8e1e3d73acd1d1ef3011c96be" 1783b3c]:
{{{
#!CommitTicketReference repository=""
revision="1783b3cb24cdefd8e1e3d73acd1d1ef3011c96be"
Fixed #32275 -- Added scrypt password hasher.
Co-authored-by: Mariusz Felisiak <felisiak...@gmail.com>
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/32275#comment:11>
Django
-------------------------------------+-------------------------------------
Reporter: Alex Gaynor | Owner: Anthony
| Wright
Type: New feature | Status: closed
Component: contrib.auth | Version: dev
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by GitHub <noreply@…>):
In [changeset:"90c75dc4f37bee19b7c3790519d187e38e293800" 90c75dc4]:
{{{
#!CommitTicketReference repository=""
revision="90c75dc4f37bee19b7c3790519d187e38e293800"
Refs #32275 -- Added scrypt password hasher to PASSWORD_HASHERS setting
docs.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/32275#comment:12>
Django
-------------------------------------+-------------------------------------
Reporter: Alex Gaynor | Owner: Anthony
| Wright
Type: New feature | Status: closed
Component: contrib.auth | Version: dev
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Mariusz Felisiak <felisiak.mariusz@…>):
In [changeset:"d5b093a2c5d968dc11447bc9b84848788f297737" d5b093a2]:
{{{
#!CommitTicketReference repository=""
revision="d5b093a2c5d968dc11447bc9b84848788f297737"
[5.0.x] Refs #32275 -- Added scrypt password hasher to PASSWORD_HASHERS
setting docs.
Backport of 90c75dc4f37bee19b7c3790519d187e38e293800 from main
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/32275#comment:13>
Django
-------------------------------------+-------------------------------------
Reporter: Alex Gaynor | Owner: Anthony
| Wright
Type: New feature | Status: closed
Component: contrib.auth | Version: dev
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Mariusz Felisiak <felisiak.mariusz@…>):
In [changeset:"99dcba90b4d36272d6c2e0fd96eec1ee5883db4c" 99dcba9]:
{{{
#!CommitTicketReference repository=""
revision="99dcba90b4d36272d6c2e0fd96eec1ee5883db4c"
[4.2.x] Refs #32275 -- Added scrypt password hasher to PASSWORD_HASHERS
setting docs.
Backport of 90c75dc4f37bee19b7c3790519d187e38e293800 from main
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/32275#comment:14>