[Django] #34017: Mention that when using Argon2PasswordHasher, this means Argon2id gets used

18 views
Skip to first unread message

Django

unread,
Sep 16, 2022, 5:50:39 AM9/16/22
to django-...@googlegroups.com
#34017: Mention that when using Argon2PasswordHasher, this means Argon2id gets used
-------------------------------------+-------------------------------------
Reporter: dash137 | Owner: nobody
Type: | Status: new
Cleanup/optimization |
Component: | Version: 4.1
Documentation | Keywords: Argon2 Argon2id
Severity: Normal | hashing algorithm password
Triage Stage: | management
Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
In the documentation page on "Password management in Django", the section
on Argon2 should mention that with the settings described there, the
specific algorithm that gets actually used is the variant **Argon2id**.
Namely, one should not have to look in another place to ascertain which
precise algorithm gets used when one makes the changes described there (as
it's quite important to know for sure that one will indeed be using
Argon2id instead of any other variant out there).

Link to the documentation section concerned:
https://docs.djangoproject.com/en/4.1/topics/auth/passwords/#using-argon2
-with-django
Currently, the fact that Argon2id is indeed the default in Django (when
using Argon2), is to my knowledge only mentioned here:
https://docs.djangoproject.com/en/4.1/releases/3.2/

--
Ticket URL: <https://code.djangoproject.com/ticket/34017>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,
Sep 16, 2022, 6:02:38 AM9/16/22
to django-...@googlegroups.com
#34017: Mention that when using Argon2PasswordHasher, this means Argon2id gets used
-------------------------------------+-------------------------------------
Reporter: David Schultz | Owner: nobody
Type: | Status: new
Cleanup/optimization |
Component: Documentation | Version: 4.1
Severity: Normal | Resolution:
Keywords: Argon2 Argon2id | Triage Stage: Accepted
hashing algorithm password |
management |

Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Mariusz Felisiak):

* stage: Unreviewed => Accepted


Comment:

Agreed. Would you like to prepare a patch? It should be enough to mention
`Argon2id` in topics, e.g.
{{{#!diff
diff --git a/docs/topics/auth/passwords.txt
b/docs/topics/auth/passwords.txt
index 25c98bf786..43607d6478 100644
--- a/docs/topics/auth/passwords.txt
+++ b/docs/topics/auth/passwords.txt
@@ -83,7 +83,8 @@ Using Argon2 with Django
Argon2_ is the winner of the 2015 `Password Hashing Competition`_, a
community
organized open competition to select a next generation hashing algorithm.
It's
designed not to be easier to compute on custom hardware than it is to
compute
-on an ordinary CPU.
+on an ordinary CPU. The default variant for the Argon2 password hasher is
+Argon2id.

Argon2_ is not the default for Django because it requires a third-party
library. The Password Hashing Competition panel, however, recommends
immediate
}}}

--
Ticket URL: <https://code.djangoproject.com/ticket/34017#comment:1>

Django

unread,
Sep 16, 2022, 6:38:53 AM9/16/22
to django-...@googlegroups.com
#34017: Mention that when using Argon2PasswordHasher, this means Argon2id gets used
-------------------------------------+-------------------------------------
Reporter: David Schultz | Owner: nobody
Type: | Status: new
Cleanup/optimization |
Component: Documentation | Version: 4.1
Severity: Normal | Resolution:
Keywords: Argon2 Argon2id | Triage Stage: Accepted
hashing algorithm password |
management |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0

-------------------------------------+-------------------------------------
Changes (by Mariusz Felisiak):

* easy: 0 => 1


--
Ticket URL: <https://code.djangoproject.com/ticket/34017#comment:2>

Django

unread,
Sep 16, 2022, 7:43:33 AM9/16/22
to django-...@googlegroups.com
#34017: Mention that when using Argon2PasswordHasher, this means Argon2id gets used
-------------------------------------+-------------------------------------
Reporter: David Schultz | Owner: nobody
Type: | Status: new
Cleanup/optimization |
Component: Documentation | Version: 4.1
Severity: Normal | Resolution:
Keywords: Argon2 Argon2id | Triage Stage: Accepted
hashing algorithm password |
management |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by David Schultz):

Currently I can't familiarize myself with the steps necessary to prepare
such a patch, so I would kindly ask you or someone else to do this. The
text which I would propose is this, building upon your suggestion:

{{{#!diff
diff --git a/docs/topics/auth/passwords.txt
b/docs/topics/auth/passwords.txt

index ???..??? ???
--- a/docs/topics/auth/passwords.txt
+++ b/docs/topics/auth/passwords.txt
@@ -83,93 +83,95 @@ Using Argon2 with Django


Argon2_ is the winner of the 2015 `Password Hashing Competition`_, a
community
organized open competition to select a next generation hashing algorithm.
It's
designed not to be easier to compute on custom hardware than it is to
compute
-on an ordinary CPU.
+on an ordinary CPU. The default variant for the Argon2 password hasher is
+Argon2id.

Argon2_ is not the default for Django because it requires a third-party
library. The Password Hashing Competition panel, however, recommends
immediate

use of Argon2 rather than the other algorithms supported by Django.

-To use Argon2 as your default storage algorithm, do the following:
+To use Argon2id as your default storage algorithm, do the following:
}}}

--
Ticket URL: <https://code.djangoproject.com/ticket/34017#comment:3>

Django

unread,
Sep 16, 2022, 8:10:48 AM9/16/22
to django-...@googlegroups.com
#34017: Mention that when using Argon2PasswordHasher, this means Argon2id gets used
-------------------------------------+-------------------------------------
Reporter: David Schultz | Owner: Ritik
Type: | Soni
Cleanup/optimization | Status: assigned

Component: Documentation | Version: 4.1
Severity: Normal | Resolution:
Keywords: Argon2 Argon2id | Triage Stage: Accepted
hashing algorithm password |
management |
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Ritik Soni):

* owner: nobody => Ritik Soni
* status: new => assigned


--
Ticket URL: <https://code.djangoproject.com/ticket/34017#comment:4>

Django

unread,
Sep 17, 2022, 2:37:02 AM9/17/22
to django-...@googlegroups.com
#34017: Mention that when using Argon2PasswordHasher, this means Argon2id gets used
-------------------------------------+-------------------------------------
Reporter: David Schultz | Owner: Ritik
Type: | Soni
Cleanup/optimization | Status: assigned
Component: Documentation | Version: 4.1
Severity: Normal | Resolution:
Keywords: Argon2 Argon2id | Triage Stage: Ready for
hashing algorithm password | checkin
management |
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Mariusz Felisiak):

* has_patch: 0 => 1
* stage: Accepted => Ready for checkin


Comment:

[https://github.com/django/django/pull/16069 PR]

--
Ticket URL: <https://code.djangoproject.com/ticket/34017#comment:5>

Django

unread,
Sep 17, 2022, 3:49:51 AM9/17/22
to django-...@googlegroups.com
#34017: Mention that when using Argon2PasswordHasher, this means Argon2id gets used
-------------------------------------+-------------------------------------
Reporter: David Schultz | Owner: Ritik
Type: | Soni
Cleanup/optimization | Status: closed
Component: Documentation | Version: 4.1
Severity: Normal | Resolution: fixed

Keywords: Argon2 Argon2id | Triage Stage: Ready for
hashing algorithm password | checkin
management |
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by GitHub <noreply@…>):

* status: assigned => closed
* resolution: => fixed


Comment:

In [changeset:"c11336cd990e155371a5185cf3bd6942cad8d9da" c11336cd]:
{{{
#!CommitTicketReference repository=""
revision="c11336cd990e155371a5185cf3bd6942cad8d9da"
Fixed #34017 -- Doc'd that Argon2id variant is used by
Argon2PasswordHasher.
}}}

--
Ticket URL: <https://code.djangoproject.com/ticket/34017#comment:6>

Django

unread,
Sep 17, 2022, 3:50:01 AM9/17/22
to django-...@googlegroups.com
#34017: Mention that when using Argon2PasswordHasher, this means Argon2id gets used
-------------------------------------+-------------------------------------
Reporter: David Schultz | Owner: Ritik
Type: | Soni
Cleanup/optimization | Status: closed
Component: Documentation | Version: 4.1
Severity: Normal | Resolution: fixed
Keywords: Argon2 Argon2id | Triage Stage: Ready for
hashing algorithm password | checkin
management |
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by Mariusz Felisiak <felisiak.mariusz@…>):

In [changeset:"0859093f7c240b9677c62cac3682fd8c2643fa97" 0859093f]:
{{{
#!CommitTicketReference repository=""
revision="0859093f7c240b9677c62cac3682fd8c2643fa97"
[4.1.x] Fixed #34017 -- Doc'd that Argon2id variant is used by
Argon2PasswordHasher.

Backport of c11336cd990e155371a5185cf3bd6942cad8d9da from main
}}}

--
Ticket URL: <https://code.djangoproject.com/ticket/34017#comment:7>

Reply all
Reply to author
Forward
0 new messages