Just to be clear, my proposal here is only about removing UnsaltedSHA1PasswordHasher and UnsaltedMD5PasswordHasher. The salted versions of these hashers remain. I don't think the unsalted versions have any speed advantages as far as testing goes compared to the salted versions? Django's test settings use MD5PasswordHasher, not the unsalted version.
On Tuesday, February 2, 2016 at 12:23:50 PM UTC-5, Raphaël Barrois wrote: > > Hi Tim, > > I would suggest removing those hashers from the default list, but keeping > at least the > django.contrib.auth.hashers.UnsaltedMD5PasswordHasher around. > > That hasher, being the fastest non-plaintext hasher around, is quite > useful when running tests: it allows login checks > to be performed much faster. > > Beyond this, the idea seems great — it's still pretty easy for a site to > keep them around if it needs them. > > > -- > Raphaël > > On Tue, 2 Feb 2016 08:10:50 -0800 (PST) > Tim Graham <timog...@gmail.com <javascript:>> wrote: > > > Django 0.90 stored passwords as unsalted MD5. Django 0.91 added support > for > > salted SHA1 with automatic upgrade of passwords [0]. > > > > In Django 1.4, the new password hashing machinery was added and some > users > > complained that they couldn't upgrade because the password format from > > Django 0.90 was no longer accepted (passwords encodings starting with > > "md5$$" or "sha1$$", though the ticket suggests Django never used the > > latter prefix) [1]. > > > > I wonder if it's about time to remove these hashers [2]? I think it'd be > > okay for users who haven't logged in since Django 0.90 to reset their > > password (assuming the site provides that mechanism). I would consider > > recommending that site administrators mark any unsalted passwords > > "unusable" to mitigate the possibility of leaking unsalted passwords in > the > > event the database is compromised. > > > > I think this is as simple as: > > > > users = User.objects.filter(password__startswith='md5$$') > > for user in users: > > user.set_unusable_password() > > user.save(update_fields=['password'] > > > > [0] https://code.djangoproject.com/ticket/18144#comment:18 > > [1] https://code.djangoproject.com/ticket/18144 > > [2] > > > https://github.com/django/django/compare/master...timgraham:remove-unsalted-hashers > > > > > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/ff38c257-7218-446b-9de8-0d14d5f108f0%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
