On Tue, Nov 30, 2010 at 4:22 AM, Tom Evans <tevans...@googlemail.com> wrote:
> First comment is that Django already has a pluggable authentication > stack, which already allows for this - simply define a new auth > backend that tests the password in the manner you wish. My understanding of the pluggable authentication system is that it's for situations where you need a totally different authentication mechanism, such as LDAP. Simply replacing the crypto mechanism for the default authentication system should not require developing a lot of pieces. It is something that needs to be upgraded on an ongoing basis for everyone. It's simply best practices. The federal government already forbids use of SHA-1 after 2010. > It doesn't allow for this with the default authenticator, but it is > doable. I have a django project with >100k users, and none of them > have a sha1 hash as their password. I won't comment on the wisdom of this, but I'd not use it as an example of why we don't need to provide flexibility to improve security. Chris -- | Chris Petrilli | petri...@amber.org -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
