Re: PASSWORD_HASHERS Check

On Friday, June 24, 2022 at 10:14:48 PM UTC-4 Francisco wrote: > Here is a real-world example I found on a quick search: > https://github.com/dimagi/commcare-hq/blob/6be7be39cb3f554670685e811a15720d46cc4a2d/settings.py#L192 > In this case, it appears that making SHA1 the default hasher wasn't a

Re: PASSWORD_HASHERS Check

Here is a real-world example I found on a quick search: https://github.com/dimagi/commcare-hq/blob/6be7be39cb3f554670685e811a15720d46cc4a2d/settings.py#L192 On Fri, Jun 24, 2022 at 11:00 PM Francisco Couzo wrote: > If you happen to be using pytest and want to detect if you're testing, > there's

Re: PASSWORD_HASHERS Check

If you happen to be using pytest and want to detect if you're testing, there's a really bad recommendation on this ticket: https://github.com/pytest-dev/pytest-django/issues/333, now that alone works, but if you were to import pytest, you would be running some test settings and be none the wiser.

Re: PASSWORD_HASHERS Check

For context, Francisco proposed this at https://code.djangoproject.com/ticket/33793 which was marked wontfix by Mariusz with the comment: > Django keeps "weak" password hashers for support with legacy systems and ​speeding up the tests

PASSWORD_HASHERS Check

I think it would be a good idea to add a check for insecure hashers on PASSWORD_HASHERS[0], I know the insecure ones are not enabled by default, but I think it would be useful to warn users that have enabled them that it's a bad idea. They could have enabled them on production while thinking th