On Sat, Jun 15, 2013 at 2:24 PM, Luke Plant <[email protected]> wrote:
> 2) Should Django's security be improved by an additional salt that isn't > stored in the database? > > Regarding number 2, this is not likely to happen quickly, due to > backwards compatibility issues, and the need to introduce a new setting > etc. (That may help you to decide question 1). > > It's definitely worth considering, of course. We would have to consider > whether it is worth the work. For many installations, if an attacker has > the database they are very likely to have the source code too. Of > course, we should try to layer security so that it isn't all or nothing. > But given the difficulties of changing things, we'd have to consider > whether the increase in security, in a typical setup, would justify the > change. > Are you suggesting this should be a change to Django itself? A new password hasher that uses a per user salt as well as a static salt stored outside the database? Should I file this as a ticket or is this just hypothetical? -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. For more options, visit https://groups.google.com/groups/opt_out.
