On Sat, Jun 15, 2013 at 2:24 PM, Luke Plant <l.plant...@cantab.net> wrote:
> 2) Should Django's security be improved by an additional salt that isn't > stored in the database? > > Regarding number 2, this is not likely to happen quickly, due to > backwards compatibility issues, and the need to introduce a new setting > etc. (That may help you to decide question 1). > > It's definitely worth considering, of course. We would have to consider > whether it is worth the work. For many installations, if an attacker has > the database they are very likely to have the source code too. Of > course, we should try to layer security so that it isn't all or nothing. > But given the difficulties of changing things, we'd have to consider > whether the increase in security, in a typical setup, would justify the > change. > Are you suggesting this should be a change to Django itself? A new password hasher that uses a per user salt as well as a static salt stored outside the database? Should I file this as a ticket or is this just hypothetical? -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers. For more options, visit https://groups.google.com/groups/opt_out.
