#31358: Increase default password salt size in BasePasswordHasher. --------------------------------------+------------------------------------ Reporter: Jon Moroney | Owner: nobody Type: Cleanup/optimization | Status: new Component: Utilities | Version: master Severity: Normal | Resolution: Keywords: | Triage Stage: Accepted Has patch: 1 | Needs documentation: 0 Needs tests: 0 | Patch needs improvement: 1 Easy pickings: 0 | UI/UX: 0 --------------------------------------+------------------------------------
Comment (by Florian Apolloner): Replying to [comment:23 Jon Moroney]: > I think it's probably better to require the decode function rather than having to deal with if it exists or not and update salt lengths only if the function does exist. I feel that having this be optional will only lead to more headaches down the line. I am not sure it is that hard, it would also help with backwards compat. Ie have a default decode method in `BaseHasher` which return an empty dict and then: * When it is time to check the salt length (ie in `must_update`), call `decode` and if there is no `salt` in it raise a `PendingDeprecationWarning` (and then `DeprecationWarning` followed by an error in subsequent Django versions [ie change the method to NotImplemented]). * We can immediately update builtin hashers with a new `decode` method that gets used as needed (`safe_summary` and whereever decoding is needed). This should also allow me to finally easily upgrade Argon hashing to the "new" variant. * This way 3rd party authors get the old salt for a while being able to update as needed. This is probably necessary since we do not can argue the salt change important enough to throw all backwards concerns over board. > Let me know how you feel about this and I can update the PR to include similar `decode()`s for the other hashers included. Generally good, but I do not think that a `decode` as used here should have translations for dictionary keys, that is solely for use in `safe_summary` imo. -- Ticket URL: <https://code.djangoproject.com/ticket/31358#comment:24> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/066.69b9e54dc825328bf7e14008b3321bd8%40djangoproject.com.