Hi Uri and all,
On Thu, 3 Sep 2020 08:37:42 +0100
Adam Johnson <m...@adamj.eu> wrote:
> I agree with Florian.
>
Me too.
> The occasional forced logout is probably fine. If you care about this
> enough Uri, you could write a blog post documenting your patch and
> how to use it when upgrading Django.
>
But:
> On Thu, 3 Sep 2020 at 08:29, Florian Apolloner <f.apollo...@gmail.com>
> wrote:
> > On Thursday, September 3, 2020 at 4:56:13 AM UTC+2 Uri wrote:
> >>
> >> I found out that this can be avoided by changing *def
> >> must_update*, for example if you change it to something like:
> >>
> >> def must_update(self, encoded):
> >> # Update the stored password only if the iterations diff is at least
> >> 250,000.
> >> algorithm, iterations, salt, hash = encoded.split('$', 3)
> >> iterations_diff = abs(self.iterations - int(iterations))
> >> return ((int(iterations) != self.iterations) and (iterations_diff >=
> >> 250000))
> >>
> >> Or even simply:
> >>
> >> def must_update(self, encoded):
> >> return False
> >>
Please be aware that this is a security issue. The passwords are
encrypted as protection for the case that they fall into the hands of
an attacker, but for this protection to be effective, it must stay hard
and costly to brute-force them. The number of iterations is enlarged in
order to keep this cost up with the improvements of available hardware.
If you intend to keep a user's password un-updated for many years, it's
almost as bad as keeping it in plaintext -- in 10-15 years, we'd expect
the number of iterations in current Django to be grossly insufficient.
HTH,
Shai.
--
You received this message because you are subscribed to the Google Groups
"Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/20200903112219.6be68094.shai%40platonix.com.
