For those who need something like this, I created a python package
"django-peppered-passwords".
https://github.com/fatih-erikli/django-peppered-passwords
On Mon, Jun 19, 2023 at 8:54 PM Fatih Erikli
wrote:
> I recently created a ticket about it
> https://code.djangoproject.com/ticket/34661
>
>
I recently created a ticket about it
https://code.djangoproject.com/ticket/34661
It has been marked duplicate of
https://code.djangoproject.com/ticket/30561
There is a document of NIST added on the original ticket.
I think if there is going to be any compliance investigation about a Django
Hello,
2015-06-09 16:16 GMT+02:00 Josh Smeaton :
> You're referring to a "pepper" - a site wide secret that's supposed to be
> used, in some way, to further encrypt passwords. As far as I'm aware there
> are no algorithms available that take a pepper into consideration.
>
You're referring to a "pepper" - a site wide secret that's supposed to be
used, in some way, to further encrypt passwords. As far as I'm aware there
are no algorithms available that take a pepper into consideration. Further,
I don't see the need for the inclusion of a pepper if the password
FWIW the idea is relatively old and I think mozilla has a 3rd party app
which just adds that functionality to the hashers. As far as I remember it
even allows having multiple secrets and as such migrate to a new key.
On Tuesday, June 9, 2015 at 7:16:02 AM UTC+2, Ram Rachum wrote:
>
> Hi,
>
>
On Tue, Jun 9, 2015 at 9:56 AM, Curtis Maloney
wrote:
> So, the benefit of your case is it's one more step for an attacker if they
> want to brute-force your password database -- that they _also_ need to
> steal your PASSWORD_SECRET.
>
> The downside is, in the very
So, the benefit of your case is it's one more step for an attacker if they
want to brute-force your password database -- that they _also_ need to
steal your PASSWORD_SECRET.
The downside is, in the very case where they _do_ steal it, you must
immediately invalidate every password by changing your
If the leak happened because someone got into your code repo, you're right.
(I can't rule out a scenario where someone got your SECRET_KEY with some
other method, like analyzing data that was generated with the secret key.)
But even if there's a leak, then you're in a situation not worse than
On Tuesday 09 June 2015 08:23:03 Ram Rachum wrote:
> On Tue, Jun 9, 2015 at 8:22 AM, Curtis Maloney
> wrote:
> > On 9 June 2015 at 15:16, Ram Rachum wrote:
> >>
> >> What do you think about using the project's `SECRET_KEY` as an
> >> additional
Okay, so how about if we use a separate secret?
On Tue, Jun 9, 2015 at 8:22 AM, Curtis Maloney
wrote:
> I think it'd royally screw you over if you ever had to change your secret
> key [due to suspected leak, for example] as now all your passwords are
> invalid.
>
>
I think it'd royally screw you over if you ever had to change your secret
key [due to suspected leak, for example] as now all your passwords are
invalid.
--
Curtis
On 9 June 2015 at 15:16, Ram Rachum wrote:
> Hi,
>
> What do you think about using the project's
Hi,
What do you think about using the project's `SECRET_KEY` as an additional
salt in Django's password hashers? The advantage would be that they'll be
harder to crack, as an attacker would need access both to the database
table and the code for the secret key. The disadvantage I can think of
12 matches
Mail list logo