#5600: Patch to enhance cryptography on django.contrib.auth
--------------------------------+-------------------------------------------
Reporter: petrilli | Owner: nobody
Status: new | Component: Contrib apps
Version: SVN | Resolution:
Keywords: auth user crypto | Stage: Design decision needed
Has_patch: 1 | Needs_docs: 0
Needs_tests: 1 | Needs_better_patch: 0
--------------------------------+-------------------------------------------
Comment (by petrilli):
Having the same salt, especially when related to a relatively small space
for the salts to come from, reduces the cost of either a brute-force
attack. As I noted in the original post, a 50% probability of identical
hashes is expected with 1,206 accounts in the system. This, combined with
the common use of simplistic passwords
([http://www.wired.com/politics/security/commentary/securitymatters/2006/12/72300
here] and [http://www.infoworld.com/article/06/11/17/47OPsecadvise_1.html
here]) creates higher probability that seeing the hash will be enough to
determine the password. Combining these two factors reduces the pre-
calculation requirements for any form of brute-force attack.
SHA-1 has been shown to be breakable in no more than 2^63^ iterations
([http://www.schneier.com/blog/archives/2005/08/new_cryptanalyt.html more
information]). In addition, at CRYPTO2006, a semi-selective collision
attack was shown
([http://www.iacr.org/conferences/crypto2006/rumpsched.html more
information]). NIST has announced the phase-out of the 160-bit variants of
SHA-1 [http://csrc.nist.gov/hash_standards_comments.pdf no later than
2010], and recommended movement to SHA-256 as a minimum.
I understand that this isn't a particularly interesting patch, but is
something I had to do for a project I'm working on that has minimum
requirements for how users are handled. There are some additional changes
that I'll likely submit, and it is up to the Django team to decide whether
they should be mainstream. Much of this is covered in the
[http://www.owasp.org/ OWASP] documents.
--
Ticket URL: <http://code.djangoproject.com/ticket/5600#comment:2>
Django Code <http://code.djangoproject.com/>
The web framework for perfectionists with deadlines
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---
