Re: Question about password salt and encryption

2013-06-17 Thread Jon Dufresne
On Sat, Jun 15, 2013 at 2:24 PM, Luke Plant wrote: > 2) Should Django's security be improved by an additional salt that isn't > stored in the database? > > Regarding number 2, this is not likely to happen quickly, due to > backwards compatibility issues, and the need to introduce a new setting >

Re: Question about password salt and encryption

2013-06-15 Thread Donald Stufft
On Jun 15, 2013, at 5:24 PM, Luke Plant wrote: > On 15/06/13 14:17, Jon Dufresne wrote: > >> I guess I need to decide which way to go. Either a custom password >> hasher that uses a static salt, or use Django's existing password hasher >> and not think about it. > > There are two questions her

Re: Question about password salt and encryption

2013-06-15 Thread Luke Plant
On 15/06/13 14:17, Jon Dufresne wrote: > I guess I need to decide which way to go. Either a custom password > hasher that uses a static salt, or use Django's existing password hasher > and not think about it. There are two questions here: 1) What should you do for your system? 2) Should Django'

Re: Question about password salt and encryption

2013-06-15 Thread Aymeric Augustin
On 15 juin 2013, at 15:17, Jon Dufresne wrote: > I guess I need to decide which way to go. Either a custom password hasher > that uses a static salt, or use Django's existing password hasher and not > think about it. The first option is a very thin addition on top of Django's authentication f

Re: Question about password salt and encryption

2013-06-15 Thread Jon Dufresne
Thank you Luke. On Sat, Jun 15, 2013 at 12:55 AM, Luke Plant wrote: > The reason that SECRET_KEY is not used is that SECRET_KEY is used for > other applications which might require key cycling - typically for short > lived data where key cycling isn't going to cause too much of a problem. > > S

Re: Question about password salt and encryption

2013-06-15 Thread Luke Plant
Hi Jon, > I am in the process of porting an existing application to use Django. I > am modifying the authentication portion of the existing application to > be compatible with Django's authentication system. One thing that struck > me, Django appears to use a single per user salt, stored in the >

Question about password salt and encryption

2013-06-14 Thread jon . dufresne
I am in the process of porting an existing application to use Django. I am modifying the authentication portion of the existing application to be compatible with Django's authentication system. One thing that struck me, Django appears to use a single per user salt, stored in the database. Howev