I would guess most users aren't customizing the default list of hashers, so I'd rather remove weak hashers from the PASSWORD_HASHERS setting and let anyone who needs to use a weak hasher define their own setting (at which point a warning probably isn't needed). Does that seem okay?
On Friday, February 5, 2016 at 3:20:41 PM UTC-5, Aymeric Augustin wrote: > > Adding a check for weak password hashers could be a good compromise to > drive attention to the issue but make it reasonably easy to ignore it if > you need MD5 for compatibility with other systems. > > -- > Aymeric. > > On 5 févr. 2016, at 21:11, Sergei Maertens <sergeim...@gmail.com > <javascript:>> wrote: > > This is my main concern as well. I often migrate old Joomla or other PHP > things that use md5, and it's really convenient that Django upgrades the > passwords for free for me. > > Although I guess I could just write the hasher as part of the project and > add it to the setting, but then that's an additional burding because you > need to keep track of potential new hashers that get added in the default > settings. > > On Friday, February 5, 2016 at 1:05:01 PM UTC+1, Rafał Pitoń wrote: >> >> Will I still be able to implement unsalted hasher if I so desire? >> >> Don't get me wrong, I understand thats pretty crappy way to store >> password, but there are times when you inherit large set of data from site >> that you are moving from some old PHP contraption that happens to be around >> since 2006, is big (>1000000 users), ran by company that dominates one of >> nation's markets and says "absolutely no" on making all those housewifes >> reset passwords, and your passwords happen to use md5(md5(pass) + >> md5(pass)) for passwords? >> > > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-develop...@googlegroups.com <javascript:>. > To post to this group, send email to django-d...@googlegroups.com > <javascript:>. > Visit this group at https://groups.google.com/group/django-developers. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/56677162-c020-4c2f-8d1f-b35ec0b9874d%40googlegroups.com > > <https://groups.google.com/d/msgid/django-developers/56677162-c020-4c2f-8d1f-b35ec0b9874d%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > > > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/9e184cd6-69cc-4fe8-835e-055bc7121ac9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
