#31358: Increase default password salt size in BasePasswordHasher. --------------------------------------+------------------------------------ Reporter: Jon Moroney | Owner: nobody Type: Cleanup/optimization | Status: new Component: Utilities | Version: master Severity: Normal | Resolution: Keywords: | Triage Stage: Accepted Has patch: 1 | Needs documentation: 1 Needs tests: 0 | Patch needs improvement: 1 Easy pickings: 0 | UI/UX: 0 --------------------------------------+------------------------------------
Comment (by Florian Apolloner): Given that https://github.com/django/django/pull/12675 is nearing completion (I expect it to get merged soon), it is time to think about this again. I had time to refresh my memory on how the salts work for the algos in question. I think it would be a good idea to define the salt_length in actual terms of entropy and not the length of the resulting string. To that extend I think the default `salt` function should change to something along the lines of: {{{ salt_len = 71 # information entropy in bits def salt(self): """Generate a cryptographically secure nonce salt in ASCII.""" char_count = math.ceil(math.log10(math.pow(2, self.salt_len)) / math.log10(62)) return get_random_string(char_count) }}} At this point I'd probably change the `encode()` function to accept an empty salt and let the hashers generate the salt themselves if needed (argon2 for instance could do well like this and passing a salt to bcrypt makes no sense either). This way we would also get rid of the weirdness of bytes vs ASCII in the salt string and could pass the output of `os.urandom(some_length)` to the algorithms directly -- although that will probably be not as easy since we do have to be able to translate the existing salt strings *scratches head*. -- Ticket URL: <https://code.djangoproject.com/ticket/31358#comment:40> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-updates/066.92bcf86f795611870f10b74fae5da1bb%40djangoproject.com.