On Sun, Nov 28, 2010 at 3:14 AM, Christophe Pettus <x...@thebuild.com> wrote: > Hi, all, > > Right now, Django's auth system pretty much uses sha1 hardwired in > (literally, in the case of User.set_password) for the hash. For a discussion > of why a general-purpose hash function is not the best idea in the world for > password encryption, see: > > http://codahale.com/how-to-safely-store-a-password/ > > I'd like to propose a backwards-compatible method of allowing different hash > algorithms to be used, while not adding new dependencies on external > libraries to the core. > > 1. Add a setting DEFAULT_PASSWORD_HASH. This contains the code for the > algorithm to use; if it is absent, 'sha1' is assumed. > > 2. Add a setting PASSWORD_HASH_FUNCTIONS. This is a map of algorithm codes > to callables; the callable has the same parameters as > auth.models.get_hexdigest, and return the hex digest its parameters (to allow > for a single function to handle multiple algorithms, the algorithm aprameter > to get_hexdigest is retained). For example: > > PASSWORD_HASH_FUNCTIONS = { 'bcrypt': > 'myproject.myapp.bcrypt_hex_digest' } > > 3. auth.models.get_hexdigest is modified such that if the algorithm isn't one > of the ones it knows about, it consults PASSWORD_HASH_FUNCTIONS and uses the > matching function, if present. If there's no match, it fails as it does > currently. > > 4. User.set_password() is modified to check the value of > DEFAULT_PASSWORD_HASH, and uses that algorithm if specified; otherwise, it > uses 'sha1' as it does not. (Optional: Adding the algorithm as a default > parameter to User.set_password().) > > Comments? >
First comment is that Django already has a pluggable authentication stack, which already allows for this - simply define a new auth backend that tests the password in the manner you wish. It doesn't allow for this with the default authenticator, but it is doable. I have a django project with >100k users, and none of them have a sha1 hash as their password. Cheers Tom -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
