For those who need something like this, I created a python package "django-peppered-passwords".
https://github.com/fatih-erikli/django-peppered-passwords On Mon, Jun 19, 2023 at 8:54 PM Fatih Erikli <fatih.erikli.w...@gmail.com> wrote: > I recently created a ticket about it > https://code.djangoproject.com/ticket/34661 > > It has been marked duplicate of > https://code.djangoproject.com/ticket/30561 > > There is a document of NIST added on the original ticket. > I think if there is going to be any compliance investigation about a > Django project, this will cause an issue. > > Having salts on user tables causes different questions about the necessity > of them, like if they are stored next to the password, why do we hash the > password with a salt. There is so much work done already at that level. I > think it should be a complete solution and should not leave any concern to > the developers. > > I don't want myself invent an authentication for my project. I don't want > to use a patched or extended version of Django. Having a developer > community consensus about the things we should concern, helps me to focus > on the project. This is why I think we should have it in new Django > projects by default. > > On Tuesday, June 9, 2015 at 5:31:48 PM UTC+3 Aymeric Augustin wrote: > >> Hello, >> >> 2015-06-09 16:16 GMT+02:00 Josh Smeaton <josh.s...@gmail.com>: >> >>> You're referring to a "pepper" - a site wide secret that's supposed to >>> be used, in some way, to further encrypt passwords. As far as I'm aware >>> there are no algorithms available that take a pepper into consideration. >>> >> >> I'm also wary of implementing a mechanism that isn't considered a best >> practice in the industry. >> >> Pepper doesn't achieve anything that you couldn't do by changing the >> number of rounds (or perhaps the salt length, but I'm not sure that makes >> sense). Any additional code adds potential for implementation mistakes that >> could introduce security issues. >> >> As a consequence, I think there are more risks than benefits to this >> proposal as it stands. I would change my mind if pepper countered a common >> class of attacks, like salt countered rainbow tables. >> >> -- >> Aymeric. >> > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-developers+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/60f94770-ec26-4713-9b42-2b506a40fc68n%40googlegroups.com > <https://groups.google.com/d/msgid/django-developers/60f94770-ec26-4713-9b42-2b506a40fc68n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CA%2B7drOEM3r0vBy2q4%3DfkkLw1fqCP5c8%2BW5EHYpVbUk1eLwumnA%40mail.gmail.com.
