[Django] #26187: Remove weak password hashers from the default PASSWORD_HASHERS setting
Django
------------------------------------------------+------------------------
Reporter: timgraham | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: contrib.auth | Version: master
Severity: Normal | Keywords:
Triage Stage: Accepted | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
------------------------------------------------+------------------------
As [https://groups.google.com/d/topic/django-
developers/ZeRJU8YVrxg/discussion discussed on django-developers],
removing weak password hashers may be too invasive at this time
(particularly for projects integrating with a legacy database), but if we
remove weak hashers from the defaults, users will at least be forced to
acknowledge that they want to use a weak hasher.
--
Ticket URL: <https://code.djangoproject.com/ticket/26187>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: timgraham | Owner: timgraham
Type: | Status: assigned
Cleanup/optimization |
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by timgraham):
* owner: nobody => timgraham
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/26187#comment:1>
Django
Reporter: timgraham | Owner: timgraham
Type: | Status: assigned
Cleanup/optimization |
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by timgraham):
* has_patch: 0 => 1
Comment:
[https://github.com/django/django/pull/6103 PR]
--
Ticket URL: <https://code.djangoproject.com/ticket/26187#comment:2>
Django
Reporter: timgraham | Owner: timgraham
Type: | Status: assigned
Cleanup/optimization |
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by claudep):
Looking at a rather old app of mine with many users, I see that the only
weak hasher still used is salted SHA1. Just wondering if this is simply an
isolated example or if this matches the experience of many other projects.
In the latter case, we might consider letting this hasher for the next one
or two versions. Apart from that question, the patch looks good.
--
Ticket URL: <https://code.djangoproject.com/ticket/26187#comment:3>
Django
Reporter: timgraham | Owner: timgraham
Type: | Status: assigned
Cleanup/optimization |
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by timgraham):
Thanks Claude, I raised your concern [https://groups.google.com/d/topic
/django-developers/ZeRJU8YVrxg/discussion on the mailing list thread].
--
Ticket URL: <https://code.djangoproject.com/ticket/26187#comment:4>
Django
Reporter: timgraham | Owner: timgraham
Type: | Status: assigned
Cleanup/optimization |
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by timgraham):
As noted on the mailing list, I did a little experiment and cracked about
10% of the SHA1 password hashes in the djangoproject.com database in
minutes on my several year old PC. I think that's sufficiently weak to
warrant its removal from the defaults.
--
Ticket URL: <https://code.djangoproject.com/ticket/26187#comment:5>
Django
Reporter: timgraham | Owner: timgraham
Cleanup/optimization |
Component: contrib.auth | Version: master
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Graham <timograham@…>):
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"47b5a6a43c400619ca471de02e9f5fcc9f30d8bf" 47b5a6a]:
{{{
#!CommitTicketReference repository=""
revision="47b5a6a43c400619ca471de02e9f5fcc9f30d8bf"
Fixed #26187 -- Removed weak password hashers from PASSWORD_HASHERS.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/26187#comment:6>