Hi Uri and all, On Thu, 3 Sep 2020 08:37:42 +0100 Adam Johnson <m...@adamj.eu> wrote:
> I agree with Florian. > Me too. > The occasional forced logout is probably fine. If you care about this > enough Uri, you could write a blog post documenting your patch and > how to use it when upgrading Django. > But: > On Thu, 3 Sep 2020 at 08:29, Florian Apolloner <f.apollo...@gmail.com> > wrote: > > On Thursday, September 3, 2020 at 4:56:13 AM UTC+2 Uri wrote: > >> > >> I found out that this can be avoided by changing *def > >> must_update*, for example if you change it to something like: > >> > >> def must_update(self, encoded): > >> # Update the stored password only if the iterations diff is at least > >> 250,000. > >> algorithm, iterations, salt, hash = encoded.split('$', 3) > >> iterations_diff = abs(self.iterations - int(iterations)) > >> return ((int(iterations) != self.iterations) and (iterations_diff >= > >> 250000)) > >> > >> Or even simply: > >> > >> def must_update(self, encoded): > >> return False > >> Please be aware that this is a security issue. The passwords are encrypted as protection for the case that they fall into the hands of an attacker, but for this protection to be effective, it must stay hard and costly to brute-force them. The number of iterations is enlarged in order to keep this cost up with the improvements of available hardware. If you intend to keep a user's password un-updated for many years, it's almost as bad as keeping it in plaintext -- in 10-15 years, we'd expect the number of iterations in current Django to be grossly insufficient. HTH, Shai. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/20200903112219.6be68094.shai%40platonix.com.