To answer my own question, I did a little experiment and cracked about 10% of the SHA1 password hashes in the djangoproject.com database in minutes on my several year old PC.
I think that's sufficiently weak to: 1. Make a blog post recommending that projects upgrade using the instructions in [1] 2. Remove SHA1PasswordHasher from the default PASSWORD_HASHERS in Django 1.10 to force projects to explicitly acknowledge use of an insecure hash if they require it. [1] https://github.com/django/django/pull/6114 On Wednesday, February 10, 2016 at 5:16:11 PM UTC-5, Tim Graham wrote: > > Is salted SHA1 sufficiently insecure to remove it from the default > PASSWORD_HASHERS or should we leave it for now? Any project created before > pbkdf2 was introduced in Django 1.4 (March 2012) will likely have some SHA1 > hashes unless all their users have logged in since. I've written > instructions on how to upgrade such passwords without requiring all your > users to login [1]. If it's warranted, we could make a blog post advising > this. > > [1] https://github.com/django/django/pull/6114 > <https://www.google.com/url?q=https%3A%2F%2Fgithub.com%2Fdjango%2Fdjango%2Fpull%2F6114&sa=D&sntz=1&usg=AFQjCNHecgMXZIdJ-a9fw-bH_KwmBiAKWw> > > On Monday, February 8, 2016 at 3:12:28 PM UTC-5, Tim Graham wrote: >> >> Thanks for the feedback everyone. I've created a few action items: >> >> https://code.djangoproject.com/ticket/26187 - Remove weak password >> hashers from the default PASSWORD_HASHERS setting >> https://code.djangoproject.com/ticket/26188 - Document how to wrap >> password hashers >> https://github.com/django/djangoproject.com/issues/632 - Use a wrapped >> password hasher to upgrade SHA1 passwords >> >> On Saturday, February 6, 2016 at 3:56:00 AM UTC-5, Curtis Maloney wrote: >>> >>> I kept meaning to weigh in on this... but all my points have been made. >>> >>> It sounds like the middle ground is to: >>> >>> 1) remove them from the default list >>> 2) keep them in the codebase >>> 3) make them noisy (raise warnings) >>> 4) provide docs/tools on how to upgrade >>> >>> Then we get "secure by default" (1), as well as "encouraging upgrades" >>> (3), whilst also "supporting slow-to-update installs" (4), and >>> "encouraging best practices" (3). >>> >>> >>> -- >>> C >>> >>> >>> On 06/02/16 19:51, Aymeric Augustin wrote: >>> > Yes, that would be good from the “security by default” standpoint. >>> This >>> > would also allow us to trim the full list of hashers which is repeated >>> > several times in the docs. >>> > >>> > -- >>> > Aymeric. >>> > >>> >> On 6 févr. 2016, at 00:03, Tim Graham <timog...@gmail.com >>> >> <mailto:timog...@gmail.com>> wrote: >>> >> >>> >> I would guess most users aren't customizing the default list of >>> >> hashers, so I'd rather remove weak hashers from the PASSWORD_HASHERS >>> >> setting and let anyone who needs to use a weak hasher define their >>> own >>> >> setting (at which point a warning probably isn't needed). Does that >>> >> seem okay? >>> >> >>> >> On Friday, February 5, 2016 at 3:20:41 PM UTC-5, Aymeric Augustin >>> wrote: >>> >> >>> >> Adding a check for weak password hashers could be a good >>> >> compromise to drive attention to the issue but make it reasonably >>> >> easy to ignore it if you need MD5 for compatibility with other >>> >> systems. >>> >> >>> >> -- >>> >> Aymeric. >>> >> >>> >>> On 5 févr. 2016, at 21:11, Sergei Maertens <sergeim...@gmail.com >>> >>> <javascript:>> wrote: >>> >>> >>> >>> This is my main concern as well. I often migrate old Joomla or >>> >>> other PHP things that use md5, and it's really convenient that >>> >>> Django upgrades the passwords for free for me. >>> >>> >>> >>> Although I guess I could just write the hasher as part of the >>> >>> project and add it to the setting, but then that's an additional >>> >>> burding because you need to keep track of potential new hashers >>> >>> that get added in the default settings. >>> >>> >>> >>> On Friday, February 5, 2016 at 1:05:01 PM UTC+1, Rafał Pitoń >>> wrote: >>> >>> >>> >>> Will I still be able to implement unsalted hasher if I so >>> desire? >>> >>> >>> >>> Don't get me wrong, I understand thats pretty crappy way to >>> >>> store password, but there are times when you inherit large >>> >>> set of data from site that you are moving from some old PHP >>> >>> contraption that happens to be around since 2006, is big >>> >>> (>1000000 users), ran by company that dominates one of >>> >>> nation's markets and says "absolutely no" on making all >>> those >>> >>> housewifes reset passwords, and your passwords happen to use >>> >>> md5(md5(pass) + md5(pass)) for passwords? >>> >>> >>> >>> >>> >>> -- >>> >>> You received this message because you are subscribed to the >>> >>> Google Groups "Django developers (Contributions to Django >>> >>> itself)" group. >>> >>> To unsubscribe from this group and stop receiving emails from >>> it, >>> >>> send an email to django-develop...@googlegroups.com >>> <javascript:>. >>> >>> To post to this group, send email to >>> django-d...@googlegroups.com >>> >>> <javascript:>. >>> >>> Visit this group at >>> >>> https://groups.google.com/group/django-developers >>> >>> <https://groups.google.com/group/django-developers>. >>> >>> To view this discussion on the web visit >>> >>> >>> https://groups.google.com/d/msgid/django-developers/56677162-c020-4c2f-8d1f-b35ec0b9874d%40googlegroups.com >>> >>> >>> < >>> https://groups.google.com/d/msgid/django-developers/56677162-c020-4c2f-8d1f-b35ec0b9874d%40googlegroups.com?utm_medium=email&utm_source=footer>. >>> >>> >>> >>> For more options, visit https://groups.google.com/d/optout >>> >>> <https://groups.google.com/d/optout>. >>> >> >>> >> >>> >> -- >>> >> You received this message because you are subscribed to the Google >>> >> Groups "Django developers (Contributions to Django itself)" group. >>> >> To unsubscribe from this group and stop receiving emails from it, >>> send >>> >> an email to django-develop...@googlegroups.com >>> >> <mailto:django-developers+unsubscr...@googlegroups.com>. >>> >> To post to this group, send email to >>> >> django-d...@googlegroups.com >>> >> <mailto:django-d...@googlegroups.com>. >>> >> Visit this group at https://groups.google.com/group/django-developers. >>> >>> >> To view this discussion on the web visit >>> >> >>> https://groups.google.com/d/msgid/django-developers/9e184cd6-69cc-4fe8-835e-055bc7121ac9%40googlegroups.com >>> >>> >> < >>> https://groups.google.com/d/msgid/django-developers/9e184cd6-69cc-4fe8-835e-055bc7121ac9%40googlegroups.com?utm_medium=email&utm_source=footer>. >>> >>> >>> >> For more options, visit https://groups.google.com/d/optout. >>> > >>> > -- >>> > You received this message because you are subscribed to the Google >>> > Groups "Django developers (Contributions to Django itself)" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> > an email to django-develop...@googlegroups.com >>> > <mailto:django-developers+unsubscr...@googlegroups.com>. >>> > To post to this group, send email to django-d...@googlegroups.com >>> > <mailto:django-d...@googlegroups.com>. >>> > Visit this group at https://groups.google.com/group/django-developers. >>> >>> > To view this discussion on the web visit >>> > >>> https://groups.google.com/d/msgid/django-developers/5081977A-64B0-4443-ADDE-CEFCC5704E72%40polytechnique.org >>> >>> > < >>> https://groups.google.com/d/msgid/django-developers/5081977A-64B0-4443-ADDE-CEFCC5704E72%40polytechnique.org?utm_medium=email&utm_source=footer>. >>> >>> >>> > For more options, visit https://groups.google.com/d/optout. >>> >> -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/b43d4f32-d65a-4560-bdf8-cc31b3184fe5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
