Django 0.90 stored passwords as unsalted MD5. Django 0.91 added support for salted SHA1 with automatic upgrade of passwords [0].
In Django 1.4, the new password hashing machinery was added and some users complained that they couldn't upgrade because the password format from Django 0.90 was no longer accepted (passwords encodings starting with "md5$$" or "sha1$$", though the ticket suggests Django never used the latter prefix) [1]. I wonder if it's about time to remove these hashers [2]? I think it'd be okay for users who haven't logged in since Django 0.90 to reset their password (assuming the site provides that mechanism). I would consider recommending that site administrators mark any unsalted passwords "unusable" to mitigate the possibility of leaking unsalted passwords in the event the database is compromised. I think this is as simple as: users = User.objects.filter(password__startswith='md5$$') for user in users: user.set_unusable_password() user.save(update_fields=['password'] [0] https://code.djangoproject.com/ticket/18144#comment:18 [1] https://code.djangoproject.com/ticket/18144 [2] https://github.com/django/django/compare/master...timgraham:remove-unsalted-hashers -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/57cc065d-8349-4c0a-a731-4091206f194b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.