> That hasher, being the fastest non-plaintext hasher around, is quite useful > when running tests: it allows login checks to be performed much faster.
This argument came up a couple of time in the past and from what I remember the Django test suite itself spends a significant amount of time hashing passwords. I understand that we want to avoid shipping a plaintext password hasher in `django.contrib.auth.hashers` for the sake of not exposing a footgun-API but what if we shipped one in the `django.contrib.auth.test` package instead? We could document its use for testing purposes only and would make the complete deprecation of unsafe hashers easier. Simon Le mardi 2 février 2016 12:23:50 UTC-5, Raphaël Barrois a écrit : > > Hi Tim, > > I would suggest removing those hashers from the default list, but keeping > at least the > django.contrib.auth.hashers.UnsaltedMD5PasswordHasher around. > > That hasher, being the fastest non-plaintext hasher around, is quite > useful when running tests: it allows login checks > to be performed much faster. > > Beyond this, the idea seems great — it's still pretty easy for a site to > keep them around if it needs them. > > > -- > Raphaël > > On Tue, 2 Feb 2016 08:10:50 -0800 (PST) > Tim Graham <timog...@gmail.com <javascript:>> wrote: > > > Django 0.90 stored passwords as unsalted MD5. Django 0.91 added support > for > > salted SHA1 with automatic upgrade of passwords [0]. > > > > In Django 1.4, the new password hashing machinery was added and some > users > > complained that they couldn't upgrade because the password format from > > Django 0.90 was no longer accepted (passwords encodings starting with > > "md5$$" or "sha1$$", though the ticket suggests Django never used the > > latter prefix) [1]. > > > > I wonder if it's about time to remove these hashers [2]? I think it'd be > > okay for users who haven't logged in since Django 0.90 to reset their > > password (assuming the site provides that mechanism). I would consider > > recommending that site administrators mark any unsalted passwords > > "unusable" to mitigate the possibility of leaking unsalted passwords in > the > > event the database is compromised. > > > > I think this is as simple as: > > > > users = User.objects.filter(password__startswith='md5$$') > > for user in users: > > user.set_unusable_password() > > user.save(update_fields=['password'] > > > > [0] https://code.djangoproject.com/ticket/18144#comment:18 > > [1] https://code.djangoproject.com/ticket/18144 > > [2] > > > https://github.com/django/django/compare/master...timgraham:remove-unsalted-hashers > > > > > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/b24d4e9e-97d5-4d80-9afc-00b561c1b8bc%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
