I am in the process of porting an existing application to use Django. I am modifying the authentication portion of the existing application to be compatible with Django's authentication system. One thing that struck me, Django appears to use a single per user salt, stored in the database. However, the existing application uses two salts, one static salt stored outside the database, and a per user salt stored in the database. From all the advice I've received about secure authentication it seems the two salt method is standard behavior and considered a best practice. Is there a reason Django does not use the SECRET_KEY (or some other static salt) when encrypting passwords? Is this still considered a secure encryption mechanism? This feels like a step backwards for the authentication of this application.
-- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. For more options, visit https://groups.google.com/groups/opt_out.
