#30561: Time for peppering user passwords in Django?
               Reporter:  linluc         |          Owner:  nobody
                   Type:  New feature    |         Status:  new
              Component:  Uncategorized  |        Version:  2.2
               Severity:  Normal         |       Keywords:
           Triage Stage:  Unreviewed     |      Has patch:  0
    Needs documentation:  0              |    Needs tests:  0
Patch needs improvement:  0              |  Easy pickings:  0
                  UI/UX:  0              |
 Peppering passwords has been a controversial topic  widely discussed in
 many stack overflow questions. Having ran my 20+ personal email addresses
 through HIBP page the findings are clear: all emails/passwords of mine
 that had been leaked fall in the following categories: SQL injections,
 mis-configured databases, exposed database admin panels or strayed
 database backup files.

 And that’s exactly what a pepper value in the hashing process is
 protecting from. Breaching  the whole server with physical access to the
 file system is rather rare nowadays.

 According to this NIST document [ Digital Identity Guidelines
 Authentication and Lifecycle Management]

 “In addition, verifiers SHOULD perform an additional iteration of a key
 derivation function using a salt value that is secret and known only to
 the verifier.”

 So, why not in Django?

Ticket URL: <https://code.djangoproject.com/ticket/30561>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to