Hi Paul, On Feb 14, 1:37 am, poswald <paulosw...@gmail.com> wrote: > * Django ships with SHA2-256, SHA2-512 or PBKDF2 by default. SHA2 is > python 2.5 compatible (due to hashlib being added in python 2.5) and > PBKDF2 is short enough that it could be included into the project. > This satisfies NIST/US Gov requirements. > * SHA1 is maintained for backwards compatibility > * More secure hashing algorithms can be specified by defining the > functions to be used for 'User.set_password' and 'User.check_password' > as suggested above.
I'm only one core dev, and not a crypto expert, but I've read the linked material and followed previous conversations, and here's my take: I don't think it's OK for Django to continue shipping with a default password hashing scheme which no crypto expert, as far as I've seen, considers adequate. People I trust to know their crypto, e.g. Thomas Ptacek of Matasano, consider PBKDF2 to be significantly better than salted SHA1 for password storage, if not quite as good as bcrypt. [1] PBKDF2 is simple enough (just SHA1 iterated many times) that including an existing pure-Python implementation in Django seems reasonable, removing the concerns about cross-platform and Python version compatibility. (It would still be best if we could get the PBKDF2 implementation reviewed by a cryptographer.) So I'm +1 on switching Django's default password hashing to PBKDF2. As for the broader configurability question, I'm just fine with requiring a custom auth backend, which really isn't that hard, as a condition for customizing password hashing. So I'm not particularly tempted by proposals to add a new setting for this. The hardcoded stuff in the User model does bug me, though; I'm interested in the proposal to make the User model delegate that to new methods on an authentication backend (with backwards-compatibility fallback for old auth backends that don't have the new methods). Carl [1] http://news.ycombinator.com/item?id=2005182 -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.