Re: [Django] #34661: Peppering user passwords

Sat, 17 Jun 2023 04:53:04 -0700 

#34661: Peppering user passwords
-------------------------------+--------------------------------------
     Reporter:  Fatih Erikli   |                    Owner:  nobody
         Type:  Uncategorized  |                   Status:  new
    Component:  contrib.auth   |                  Version:  4.2
     Severity:  Normal         |               Resolution:
     Keywords:                 |             Triage Stage:  Unreviewed
    Has patch:  0              |      Needs documentation:  0
  Needs tests:  0              |  Patch needs improvement:  0
Easy pickings:  0              |                    UI/UX:  0
-------------------------------+--------------------------------------

Comment (by Fatih Erikli):

 Here is an example hasher:
 {{{
 # yourapp.hashers.py
 class PepperedPBKDF2PasswordHasher(PBKDF2PasswordHasher):
     algorithm = "pepperred_pbkdf2_sha256"

     def encode(self, password, salt, iterations=None):
         assert password is not None
         assert salt and '$' not in salt
         iterations = iterations or self.iterations
         hash = pbkdf2(password, salt, iterations, digest=self.digest)
         hash = base64.b64encode(
             hash+settings.PASSWORD_PEPPER).decode('ascii').strip()
         return "%s$%d$%s$%s" % (self.algorithm, iterations, salt, hash)

 }}}

 In settings:

 {{{
 PASSWORD_PEPPER = b'4545randombytes342445'
 PASSWORD_HASHERS = [
     "yourapp.hashers.PepperedPBKDF2PasswordHasher",
     "django.contrib.auth.hashers.PBKDF2PasswordHasher",
     "django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher",
     "django.contrib.auth.hashers.Argon2PasswordHasher",
     "django.contrib.auth.hashers.BCryptSHA256PasswordHasher",
     "django.contrib.auth.hashers.ScryptPasswordHasher",
 ]
 }}}

 The passwords will break when a pepper is changed. All the peppers should
 be archived with the associated users in case if a pepper secret key is
 exposed to the public. The previous peppers will be needed for logging the
 affected users in (before sending a password change notice, for example).

-- 
Ticket URL: <https://code.djangoproject.com/ticket/34661#comment:8>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/01070188c9338bbb-51929bc2-4166-4f2d-9273-15e2e1636248-000000%40eu-central-1.amazonses.com.

Reply via email to