[Django] #24115: Bcrypt hashers don't implement must_update

11 views
Skip to first unread message

Django

unread,
Jan 10, 2015, 1:35:37 PM1/10/15
to django-...@googlegroups.com
#24115: Bcrypt hashers don't implement must_update
-------------------------------+--------------------
Reporter: cancan101 | Owner: nobody
Type: Bug | Status: new
Component: Uncategorized | Version: master
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------
If the number of rounds is changed for the bcrypt hashers it does not
appear that the must_update will ever return True.

--
Ticket URL: <https://code.djangoproject.com/ticket/24115>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,
Jan 11, 2015, 4:26:41 PM1/11/15
to django-...@googlegroups.com
#24115: Bcrypt hashers don't implement must_update
-------------------------------+--------------------------------------

Reporter: cancan101 | Owner: nobody
Type: Bug | Status: new
Component: Uncategorized | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------------------------
Changes (by cancan101):

* needs_docs: => 0
* needs_tests: => 0
* needs_better_patch: => 0


Old description:

> If the number of rounds is changed for the bcrypt hashers it does not
> appear that the must_update will ever return True.

New description:

If the number of rounds is changed for the

[https://github.com/django/django/blob/5dddd79433ceb88ab67d9851b49a44ce5b8f509c/django/contrib/auth/hashers.py#L273
bcrypt hashers] it does not appear that the must_update will never return
True. This is because the
[https://github.com/django/django/blob/5dddd79433ceb88ab67d9851b49a44ce5b8f509c/django/contrib/auth/hashers.py#L216
default implementation is used].

For comparison, see
[https://pythonhosted.org/passlib/lib/passlib.context.html#hash-migration
passlib] which does in fact perform migrations for bcrypt.

--

--
Ticket URL: <https://code.djangoproject.com/ticket/24115#comment:1>

Django

unread,
Jan 11, 2015, 4:27:05 PM1/11/15
to django-...@googlegroups.com
#24115: Bcrypt hashers don't implement must_update
-------------------------------+--------------------------------------

Reporter: cancan101 | Owner: nobody
Type: Bug | Status: new
Component: Uncategorized | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed

Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------------------------
Description changed by cancan101:

Old description:

> If the number of rounds is changed for the

> [https://github.com/django/django/blob/5dddd79433ceb88ab67d9851b49a44ce5b8f509c/django/contrib/auth/hashers.py#L273
> bcrypt hashers] it does not appear that the must_update will never return
> True. This is because the
> [https://github.com/django/django/blob/5dddd79433ceb88ab67d9851b49a44ce5b8f509c/django/contrib/auth/hashers.py#L216
> default implementation is used].
>
> For comparison, see
> [https://pythonhosted.org/passlib/lib/passlib.context.html#hash-migration
> passlib] which does in fact perform migrations for bcrypt.

New description:

If the number of rounds is changed for the

[https://github.com/django/django/blob/5dddd79433ceb88ab67d9851b49a44ce5b8f509c/django/contrib/auth/hashers.py#L273


bcrypt hashers] it does not appear that the must_update will ever return

True. This is because the
[https://github.com/django/django/blob/5dddd79433ceb88ab67d9851b49a44ce5b8f509c/django/contrib/auth/hashers.py#L216
default implementation is used].

For comparison, see
[https://pythonhosted.org/passlib/lib/passlib.context.html#hash-migration
passlib] which does in fact perform migrations for bcrypt.

--

--
Ticket URL: <https://code.djangoproject.com/ticket/24115#comment:2>

Django

unread,
Jan 12, 2015, 2:31:53 PM1/12/15
to django-...@googlegroups.com
#24115: Bcrypt hashers don't implement must_update
------------------------------+--------------------------------------

Reporter: cancan101 | Owner: nobody
Type: Bug | Status: new
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed

Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 0 | UI/UX: 0
------------------------------+--------------------------------------
Changes (by timgraham):

* cc: apollo13 (added)
* component: Uncategorized => contrib.auth


Comment:

Seems reasonable, but just would like Florian to confirm this wasn't an
intentional omission in 7d0d0dbf26a3c0d16e9c2b930fd6d7b89f215946.

--
Ticket URL: <https://code.djangoproject.com/ticket/24115#comment:3>

Django

unread,
Jan 15, 2015, 9:51:05 AM1/15/15
to django-...@googlegroups.com
#24115: Bcrypt hashers don't implement must_update
------------------------------+--------------------------------------

Reporter: cancan101 | Owner: nobody
Type: Bug | Status: new
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed

Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 0 | UI/UX: 0
------------------------------+--------------------------------------

Comment (by apollo13):

Replying to [comment:3 timgraham]:


> Seems reasonable, but just would like Florian to confirm this wasn't an
intentional omission in 7d0d0dbf26a3c0d16e9c2b930fd6d7b89f215946.

It was intentional, I think Alex was against it, not sure why anymore…

--
Ticket URL: <https://code.djangoproject.com/ticket/24115#comment:4>

Django

unread,
Jan 15, 2015, 11:04:01 AM1/15/15
to django-...@googlegroups.com
#24115: Bcrypt hashers don't implement must_update
------------------------------+--------------------------------------

Reporter: cancan101 | Owner: nobody
Type: Bug | Status: new
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed

Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 0 | UI/UX: 0
------------------------------+--------------------------------------
Changes (by timgraham):

* cc: Alex, timgraham (added)


--
Ticket URL: <https://code.djangoproject.com/ticket/24115#comment:5>

Django

unread,
Jan 26, 2015, 3:21:07 PM1/26/15
to django-...@googlegroups.com
#24115: Bcrypt hashers don't implement must_update
------------------------------+------------------------------------

Reporter: cancan101 | Owner: nobody
Type: Bug | Status: new
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted

Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 0 | UI/UX: 0
------------------------------+------------------------------------
Changes (by timgraham):

* cc: apollo13, Alex, timgraham (removed)
* stage: Unreviewed => Accepted


Comment:

Alex says, "I'm definitely not against bcrypt implementing must_upgrade."

--
Ticket URL: <https://code.djangoproject.com/ticket/24115#comment:6>

Django

unread,
Feb 26, 2015, 2:07:18 PM2/26/15
to django-...@googlegroups.com
#24115: Bcrypt hashers don't implement must_update
------------------------------+------------------------------------
Reporter: cancan101 | Owner: nobody
Type: New feature | Status: new

Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 0 | UI/UX: 0
------------------------------+------------------------------------
Changes (by timgraham):

* has_patch: 0 => 1
* type: Bug => New feature


Comment:

[https://github.com/django/django/pull/4213 PR]

--
Ticket URL: <https://code.djangoproject.com/ticket/24115#comment:7>

Django

unread,
Mar 30, 2015, 7:03:39 PM3/30/15
to django-...@googlegroups.com
#24115: Bcrypt hashers don't implement must_update
------------------------------+------------------------------------
Reporter: cancan101 | Owner: nobody
Type: New feature | Status: closed
Component: contrib.auth | Version: master
Severity: Normal | Resolution: fixed

Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 0 | UI/UX: 0
------------------------------+------------------------------------
Changes (by Tim Graham <timograham@…>):

* status: new => closed
* resolution: => fixed


Comment:

In [changeset:"b86abbceb9a96d7a0fe18047c8fcd6fca90a2f3e" b86abbce]:
{{{
#!CommitTicketReference repository=""
revision="b86abbceb9a96d7a0fe18047c8fcd6fca90a2f3e"
Fixed #24115 -- Allowed bcrypt hashers to upgrade passwords on rounds
change.

Thanks Florian Apolloner for the review.
}}}

--
Ticket URL: <https://code.djangoproject.com/ticket/24115#comment:8>

Django

unread,
Sep 22, 2015, 7:33:37 PM9/22/15
to django-...@googlegroups.com
#24115: Bcrypt hashers don't implement must_update
------------------------------+------------------------------------
Reporter: cancan101 | Owner: nobody

Type: New feature | Status: closed
Component: contrib.auth | Version: master
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 0 | UI/UX: 0
------------------------------+------------------------------------

Comment (by Tim Graham <timograham@…>):

In [changeset:"cb1e779ceb461fd1a5ad9e7659316ac4d3775a5f" cb1e779]:
{{{
#!CommitTicketReference repository=""
revision="cb1e779ceb461fd1a5ad9e7659316ac4d3775a5f"
Refs #24115 -- Added docs for password updates on bcrypt rounds change.
}}}

--
Ticket URL: <https://code.djangoproject.com/ticket/24115#comment:9>

Reply all
Reply to author
Forward
0 new messages