Django 0.90 stored passwords as unsalted MD5. Django 0.91 added support for
salted SHA1 with automatic upgrade of passwords [0].
In Django 1.4, the new password hashing machinery was added and some users
complained that they couldn't upgrade because the password format from
Django 0.90 was no longer accepted (passwords encodings starting with
"md5$$" or "sha1$$", though the ticket suggests Django never used the
latter prefix) [1].
I wonder if it's about time to remove these hashers [2]? I think it'd be
okay for users who haven't logged in since Django 0.90 to reset their
password (assuming the site provides that mechanism). I would consider
recommending that site administrators mark any unsalted passwords
"unusable" to mitigate the possibility of leaking unsalted passwords in the
event the database is compromised.
I think this is as simple as:
users = User.objects.filter(password__startswith='md5$$')
for user in users:
user.set_unusable_password()
user.save(update_fields=['password']
[0] https://code.djangoproject.com/ticket/18144#comment:18
[1] https://code.djangoproject.com/ticket/18144
[2]
https://github.com/django/django/compare/master...timgraham:remove-unsalted-hashers
--
You received this message because you are subscribed to the Google Groups
"Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/57cc065d-8349-4c0a-a731-4091206f194b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
