Re: [Django Code] #4151: Patch to add support for more secure password hashes in Python 2.5 or newer

Thu, 26 Apr 2007 04:59:02 -0700 

#4151: Patch to add support for more secure password hashes in Python 2.5 or 
newer
----------------------------------------------+-----------------------------
   Reporter:  Nick Efford <[EMAIL PROTECTED]>   |                Owner:  adrian 
               
     Status:  new                             |            Component:  Contrib 
apps          
    Version:  SVN                             |           Resolution:           
             
   Keywords:  authentication, password, hash  |                Stage:  Design 
decision needed
  Has_patch:  1                               |           Needs_docs:  0        
             
Needs_tests:  0                               |   Needs_better_patch:  1        
             
----------------------------------------------+-----------------------------
Comment (by Nick Efford <[EMAIL PROTECTED]>):

 Replying to [comment:3 SmileyChris]:
 
 > The other consideration (hence my moving to design decision required) is
 that this puts a partial requirement on >2.3 in the case of databases
 which containing new hash formats. This might be acceptable, I'm not sure.
 
 Good point.
 
 How about we add another setting, {{{USE_STRONG_HASHES}}}, set to
 {{{False}}} in {{{global_settings.py}}}?  When this setting is
 {{{False}}}, the current hashing code is used; when it is set to
 {{{True}}} explicitly in a project's {{{settings.py}}}, an attempt is made
 to use {{{hashlib}}} and one of the longer hash algorithms (as specified
 by {{{PASSWORD_HASH_ALGORITHM}}}).
 
 This approach forces the user to turn on the potentially incompatible
 behaviour.  We could add documentation to carefully explain the potential
 consequences of doing this.  Would that suffice?
 
 I'm happy to rework the patch to follow this slightly different approach,
 if encouraged to do so :)

-- 
Ticket URL: <http://code.djangoproject.com/ticket/4151#comment:5>
Django Code <http://code.djangoproject.com/>
The web framework for perfectionists with deadlines
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to