Acknowledged Donald, I just didn't want to bite off too much at once. I think the unsalted hashers removal could be done as a backwards-incompatible change. I wrote up some documentation including queries to check if your database is affected: https://github.com/django/django/pull/6082 I'll be curious to know if anyone has a project that started in the Django 0.90 era which returns some results for those queries.
About removing the SHA1PasswordHasher, MD5PasswordHasher, and/or CryptPasswordHasher -- I suspect many more users will be affected, so the normal deprecation process seems appropriate. To give an example, 8,484 (64%) of the passwords for djangoproject.com users are SHA1. If the SHA1 hasher is deprecated, what would we do? Options I can think of: 1. copy the hasher into the djangoproject.com source 2. release the legacy hashers as a separate package for those projects that need them 3. mark old passwords as unusable and force a reset if one of those users comes back The max "last login" for a user with a SHA1 hash is February 2013. Also, the MD5PasswordHasher is suggested in the documentation as a way to speed up tests so we would need to change that, whether it's force_login() or some new "no-op test hasher" . On Tuesday, February 2, 2016 at 2:20:44 PM UTC-5, Donald Stufft wrote: > > > On Feb 2, 2016, at 1:52 PM, Tim Graham <timog...@gmail.com <javascript:>> > wrote: > > Just to be clear, my proposal here is only about removing > UnsaltedSHA1PasswordHasher and UnsaltedMD5PasswordHasher. The salted > versions of these hashers remain. > > > > It seems silly to remove the unsalted options and leave the salted > options, they are basically equally [1] as secure since computational power > is such that it is, that it’s not really worth it to use rainbow tables > anymore anyways. > > [1] Ok, Ok, technically salted are a wee bit more secure, but given that > you can compute the MD5 of every single possible lower case alpha numeric > of 6 characters or less in under a minute on a single regular > desktop/server.. I don’t believe the distinction is useful. > > ----------------- > Donald Stufft > PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 > DCFA > > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/66c31c07-5f7b-4817-83e8-2e7a5660ec97%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
