Re: [Django] #19043: Mutable Password Hash Strength

2014-08-27 Thread Django 
#19043: Mutable Password Hash Strength
-+-
 Reporter:  jbuckner |Owner:  nobody
 Type:  New feature  |   Status:  closed
Component:  contrib.auth |  Version:  master
 Severity:  Normal   |   Resolution:  duplicate
 Keywords:  auth, bcrypt,| Triage Stage:  Accepted
  pbkdf2 |  Needs documentation:  1
Has patch:  1|  Patch needs improvement:  1
  Needs tests:  0|UI/UX:  0
Easy pickings:  0|
-+-
Changes (by timgraham):

 * status:  new => closed
 * resolution:   => duplicate


Comment:

 Existing passwords should be updated as of #21535 (Django 1.6.1).

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.de78648f05b14598536a8f8103038b23%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #19043: Mutable Password Hash Strength

2013-08-29 Thread Django 
#19043: Mutable Password Hash Strength
--+
 Reporter:  jbuckner  |Owner:  nobody
 Type:  New feature   |   Status:  new
Component:  contrib.auth  |  Version:  master
 Severity:  Normal|   Resolution:
 Keywords:  auth, bcrypt, pbkdf2  | Triage Stage:  Accepted
Has patch:  1 |  Needs documentation:  1
  Needs tests:  0 |  Patch needs improvement:  1
Easy pickings:  0 |UI/UX:  0
--+
Changes (by timo):

 * needs_better_patch:  0 => 1
 * needs_docs:  0 => 1


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.f983a0e1112c56eafad1ca21ae29aa45%40djangoproject.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #19043: Mutable Password Hash Strength

2013-01-02 Thread Django 
#19043: Mutable Password Hash Strength
--+
 Reporter:  jbuckner  |Owner:  nobody
 Type:  New feature   |   Status:  new
Component:  contrib.auth  |  Version:  master
 Severity:  Normal|   Resolution:
 Keywords:  auth, bcrypt, pbkdf2  | Triage Stage:  Accepted
Has patch:  1 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+

Comment (by aaugustin):

 Really, this doesn't pass the threshold for introducing new settings.

 Since GitHub doesn't offer any options besides open/close, I've closed the
 pull request; you're welcome to reopen it with a patch that:
 - doesn't introduce new settings
 - updates the documentation on increasing the work factor
 - changes the implementation of must_update to take into account the
 number of rounds

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #19043: Mutable Password Hash Strength

2012-10-28 Thread Django 
#19043: Mutable Password Hash Strength
--+
 Reporter:  jbuckner  |Owner:  nobody
 Type:  New feature   |   Status:  new
Component:  contrib.auth  |  Version:  master
 Severity:  Normal|   Resolution:
 Keywords:  auth, bcrypt, pbkdf2  | Triage Stage:  Accepted
Has patch:  1 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  0 |UI/UX:  0
--+
Changes (by aaugustin):

 * stage:  Unreviewed => Accepted


Comment:

 If I understand correctly, the technique described in the documentation to
 increase the work factor will only work for new passwords; existing
 passwords won't be upgraded. I'm accepting the ticket on this basis.

 However, I'd prefer an implementation based on subclassing, for the
 reasons described by ptone, and also because it's generally more flexible.

 The solution proposed by oinopion looks more like a workaround with the
 current code than like something we'd like to document.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #19043: Mutable Password Hash Strength

2012-10-02 Thread Django 
#19043: Mutable Password Hash Strength
-+-
 Reporter:  jbuckner |Owner:  nobody
 Type:  New feature  |   Status:  new
Component:  contrib.auth |  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:  auth, bcrypt,| Triage Stage:
  pbkdf2 |  Unreviewed
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by oinopion):

 If you want to force rehashing, change the algorithm name, say from
 `pbkdf2_sha256` to `pbkdf2_sha256_10`.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #19043: Mutable Password Hash Strength

2012-09-29 Thread Django 
#19043: Mutable Password Hash Strength
-+-
 Reporter:  jbuckner |Owner:  nobody
 Type:  New feature  |   Status:  new
Component:  contrib.auth |  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:  auth, bcrypt,| Triage Stage:
  pbkdf2 |  Unreviewed
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by ptone):

 The bar is pretty high for introducing new settings - I'm not sure this
 passes that bar.

 The subclassing of the hashers is very straightforward and even well
 documented:

 https://docs.djangoproject.com/en/dev/topics/auth/#increasing-the-work-
 factor

 You don't have to actually write your own hasher when subclassing in this
 case, just change a few attributes.

 I do think an argument could be made for changing the {{{must_update}}}
 flag to check if the same hasher is being used, not just the same
 algorithm. That would address the second part of your changes.

 Another reason not to introduce these settings - is it makes our sane
 security defaults a little too easy to muck with.  The project has to
 tread a line between defaults that are robust and not easily circumvented
 by genuine accident, while still allowing those who know what they are
 doing to make the changes they need to.  Subclassing seems to strike that
 balance better than a pair of settings.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #19043: Mutable Password Hash Strength

2012-09-29 Thread Django 
#19043: Mutable Password Hash Strength
-+-
 Reporter:  jbuckner |Owner:  nobody
 Type:  New feature  |   Status:  new
Component:  contrib.auth |  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:  auth, bcrypt,| Triage Stage:
  pbkdf2 |  Unreviewed
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by jbuckner):

 * needs_better_patch:   => 0
 * needs_tests:   => 0
 * needs_docs:   => 0


Comment:

 I have also opened a [https://github.com/django/django/pull/406 pull
 request] for this ticket.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Django] #19043: Mutable Password Hash Strength

2012-09-29 Thread Django 
#19043: Mutable Password Hash Strength
--+--
 Reporter:  jbuckner  |  Owner:  nobody
 Type:  New feature   | Status:  new
Component:  contrib.auth  |Version:  master
 Severity:  Normal|   Keywords:  auth, bcrypt, pbkdf2
 Triage Stage:  Unreviewed|  Has patch:  1
Easy pickings:  0 |  UI/UX:  0
--+--
 Django 1.4 introduced automatic conversion of passwords from one hashing
 algorithm to another. Some algorithms, notably Bcrypt and PBKDF2 can have
 different work factors and iterations. Currently there's no way to change
 the difficulty of the particular algorithm without subclassing it and
 writing your own hasher. Even then, it won't re-hash the password with the
 new difficulty.

 This patch adds two Django settings, {{{BCRYPT_ROUNDS}}} (as used in
 django-bcrypt) and {{{PBKDF2_ITERATIONS}}}, depending on your preferred
 algorithm. If you change these values, the next time
 {{{check_password()}}} is called when a user logs in, it will re-hash
 their password with the new difficulty.

 We did this by introducing an {{{is_current()}}} method in the
 {{{django.contrib.auth.hashers.BasePasswordHasher}}} that returns whether
 or not the hash matches the desired difficulty. For instance, in the
 {{{BCryptPasswordHasher}}}, we compare the {{{safe_summary['work
 factor']}}} against the {{{BCRYPT_ROUNDS}}} setting and if they differ,
 re-hash the password.

 There are also tests included.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.