For context, Francisco proposed this at https://code.djangoproject.com/ticket/33793 which was marked wontfix by Mariusz with the comment:
> Django keeps "weak" password hashers for support with legacy systems and ​speeding up the tests <https://docs.djangoproject.com/en/stable/topics/testing/overview/#password-hashing>. Moreover they are not enabled by ​default <https://docs.djangoproject.com/en/stable/ref/settings/#password-hashers>, so you must add them explicitly to the PASSWORD_HASHERS. Folks that do this should be aware of their weakness. IMO there is not need for a new system check. Francisco, have you seen this mistake made? It doesn't seem very likely to me. Typically, the setting is customized in a test settings file; thus, I don't see how this could propagate to a production environment. On Tuesday, June 21, 2022 at 11:18:04 AM UTC-4 Francisco wrote: > I think it would be a good idea to add a check for insecure hashers on > PASSWORD_HASHERS[0], > I know the insecure ones are not enabled by default, but I think it would > be useful to warn users that have enabled them that it's a bad idea. > > They could have enabled them on production while thinking they only > enabled them for testing for example. > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/4632834e-7864-48a9-947b-61aa0ccb11d6n%40googlegroups.com.
