I recently created a ticket about it https://code.djangoproject.com/ticket/34661
It has been marked duplicate of https://code.djangoproject.com/ticket/30561 There is a document of NIST added on the original ticket. I think if there is going to be any compliance investigation about a Django project, this will cause an issue. Having salts on user tables causes different questions about the necessity of them, like if they are stored next to the password, why do we hash the password with a salt. There is so much work done already at that level. I think it should be a complete solution and should not leave any concern to the developers. I don't want myself invent an authentication for my project. I don't want to use a patched or extended version of Django. Having a developer community consensus about the things we should concern, helps me to focus on the project. This is why I think we should have it in new Django projects by default. On Tuesday, June 9, 2015 at 5:31:48 PM UTC+3 Aymeric Augustin wrote: > Hello, > > 2015-06-09 16:16 GMT+02:00 Josh Smeaton <josh.s...@gmail.com>: > >> You're referring to a "pepper" - a site wide secret that's supposed to be >> used, in some way, to further encrypt passwords. As far as I'm aware there >> are no algorithms available that take a pepper into consideration. >> > > I'm also wary of implementing a mechanism that isn't considered a best > practice in the industry. > > Pepper doesn't achieve anything that you couldn't do by changing the > number of rounds (or perhaps the salt length, but I'm not sure that makes > sense). Any additional code adds potential for implementation mistakes that > could introduce security issues. > > As a consequence, I think there are more risks than benefits to this > proposal as it stands. I would change my mind if pepper countered a common > class of attacks, like salt countered rainbow tables. > > -- > Aymeric. > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/60f94770-ec26-4713-9b42-2b506a40fc68n%40googlegroups.com.
