Re: [Django] #31358: Increase default password salt size in BasePasswordHasher.

Sun, 12 Apr 2020 03:56:45 -0700 

#31358: Increase default password salt size in BasePasswordHasher.
--------------------------------------+------------------------------------
     Reporter:  Jon Moroney           |                    Owner:  nobody
         Type:  Cleanup/optimization  |                   Status:  new
    Component:  Utilities             |                  Version:  master
     Severity:  Normal                |               Resolution:
     Keywords:                        |             Triage Stage:  Accepted
    Has patch:  1                     |      Needs documentation:  0
  Needs tests:  0                     |  Patch needs improvement:  1
Easy pickings:  0                     |                    UI/UX:  0
--------------------------------------+------------------------------------

Comment (by Florian Apolloner):

 Replying to [comment:23 Jon Moroney]:
 > I think it's probably better to require the decode function rather than
 having to deal with if it exists or not and update salt lengths only if
 the function does exist. I feel that having this be optional will only
 lead to more headaches down the line.

 I am not sure it is that hard, it would also help with backwards compat.
 Ie have a default decode method in `BaseHasher` which return an empty dict
 and then:

  * When it is time to check the salt length (ie in `must_update`), call
 `decode` and if there is no `salt` in it raise a
 `PendingDeprecationWarning` (and then `DeprecationWarning` followed by an
 error in subsequent Django versions [ie change the method to
 NotImplemented]).

  * We can immediately update builtin hashers with a new `decode` method
 that gets used as needed (`safe_summary` and whereever decoding is
 needed). This should also allow me to finally easily upgrade Argon hashing
 to the "new" variant.

  * This way 3rd party authors get the old salt for a while being able to
 update as needed. This is probably necessary since we do not can argue the
 salt change important enough to throw all backwards concerns over board.

 > Let me know how you feel about this and I can update the PR to include
 similar `decode()`s for the other hashers included.

 Generally good, but I do not think that a `decode` as used here should
 have translations for dictionary keys, that is solely for use in
 `safe_summary` imo.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/31358#comment:24>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.69b9e54dc825328bf7e14008b3321bd8%40djangoproject.com.

Reply via email to