For those who need something like this, I created a python package
"django-peppered-passwords".
https://github.com/fatih-erikli/django-peppered-passwords
On Mon, Jun 19, 2023 at 8:54 PM Fatih Erikli
wrote:
> I recently created a ticket about it
> https://code.djangoproject.com/ticket/34661
>
>
I recently created a ticket about it
https://code.djangoproject.com/ticket/34661
It has been marked duplicate of
https://code.djangoproject.com/ticket/30561
There is a document of NIST added on the original ticket.
I think if there is going to be any compliance investigation about a Django
proje
Hello,
2015-06-09 16:16 GMT+02:00 Josh Smeaton :
> You're referring to a "pepper" - a site wide secret that's supposed to be
> used, in some way, to further encrypt passwords. As far as I'm aware there
> are no algorithms available that take a pepper into consideration.
>
I'm also wary of implem
You're referring to a "pepper" - a site wide secret that's supposed to be
used, in some way, to further encrypt passwords. As far as I'm aware there
are no algorithms available that take a pepper into consideration. Further,
I don't see the need for the inclusion of a pepper if the password
enc
FWIW the idea is relatively old and I think mozilla has a 3rd party app
which just adds that functionality to the hashers. As far as I remember it
even allows having multiple secrets and as such migrate to a new key.
On Tuesday, June 9, 2015 at 7:16:02 AM UTC+2, Ram Rachum wrote:
>
> Hi,
>
> Wha
On Tue, Jun 9, 2015 at 9:56 AM, Curtis Maloney
wrote:
> So, the benefit of your case is it's one more step for an attacker if they
> want to brute-force your password database -- that they _also_ need to
> steal your PASSWORD_SECRET.
>
> The downside is, in the very case where they _do_ steal it,
So, the benefit of your case is it's one more step for an attacker if they
want to brute-force your password database -- that they _also_ need to
steal your PASSWORD_SECRET.
The downside is, in the very case where they _do_ steal it, you must
immediately invalidate every password by changing your
If the leak happened because someone got into your code repo, you're right.
(I can't rule out a scenario where someone got your SECRET_KEY with some
other method, like analyzing data that was generated with the secret key.)
But even if there's a leak, then you're in a situation not worse than wher
On Tuesday 09 June 2015 08:23:03 Ram Rachum wrote:
> On Tue, Jun 9, 2015 at 8:22 AM, Curtis Maloney
> wrote:
> > On 9 June 2015 at 15:16, Ram Rachum wrote:
> >>
> >> What do you think about using the project's `SECRET_KEY` as an
> >> additional salt in Django's password hashers?
>
> > I think i
Okay, so how about if we use a separate secret?
On Tue, Jun 9, 2015 at 8:22 AM, Curtis Maloney
wrote:
> I think it'd royally screw you over if you ever had to change your secret
> key [due to suspected leak, for example] as now all your passwords are
> invalid.
>
> --
> Curtis
>
>
> On 9 June 20
I think it'd royally screw you over if you ever had to change your secret
key [due to suspected leak, for example] as now all your passwords are
invalid.
--
Curtis
On 9 June 2015 at 15:16, Ram Rachum wrote:
> Hi,
>
> What do you think about using the project's `SECRET_KEY` as an additional
> s
11 matches
Mail list logo
