Tom, The behavior of the make_password method is quite surprising to be honest >
I'd go even further and say that currently the behaviour of the make_password function is *wrong* and *unsafe*. Again, let's look at hashing functions from other libraries. None of them fails silently and casts object to bytes using __str__(). Werkzeug and passlib are the most notable examples how to handle things correctly: *1. Werkzeug* In [1]: from werkzeug.security import generate_password_hash In [2]: generate_password_hash(dict()) TypeError: Expected bytes *2. Passlib* In [1]: from passlib.hash import pbkdf2_sha256 In [2]: pbkdf2_sha256.hash(dict()) TypeError: secret must be unicode or bytes, not dict *3. Django* In [1]: from django.contrib.auth.hashers import make_password In [2]: make_password(dict()) Out[2]: 'pbkdf2_sha256$180000$dimMkJ5wvrpn$eHh6CNAY+hTagaDmsofHMlJEbVOXEeIEfcT059Me2ho=' (seriously???) This is especially *wrong* because programmers who are *not* aware of this strange behaviour can accidentally do things that they *really *don't want to do. I can imagine scenarios in which this can have some serious unintended consequences. maybe the advantages of being able to pass any object into the method is > entirely academic because nobody passes anything but strings on purpose Exactly. I'd even say that there are *no* advantages of being able to pass any object into this function and it can have bad consequences. Dawid -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAHzshFuQnEUrAdk53apDWw3wnPBNq%2BYQE9bxyfOpbFfyQS04dw%40mail.gmail.com.
