#19043: Mutable Password Hash Strength
-------------------------------------+-------------------------------------
Reporter: jbuckner | Owner: nobody
Type: New feature | Status: new
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: auth, bcrypt, | Triage Stage:
pbkdf2 | Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by ptone):
The bar is pretty high for introducing new settings - I'm not sure this
passes that bar.
The subclassing of the hashers is very straightforward and even well
documented:
https://docs.djangoproject.com/en/dev/topics/auth/#increasing-the-work-
factor
You don't have to actually write your own hasher when subclassing in this
case, just change a few attributes.
I do think an argument could be made for changing the {{{must_update}}}
flag to check if the same hasher is being used, not just the same
algorithm. That would address the second part of your changes.
Another reason not to introduce these settings - is it makes our sane
security defaults a little too easy to muck with. The project has to
tread a line between defaults that are robust and not easily circumvented
by genuine accident, while still allowing those who know what they are
doing to make the changes they need to. Subclassing seems to strike that
balance better than a pair of settings.
--
Ticket URL: <https://code.djangoproject.com/ticket/19043#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to
django-updates+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
