#31358: Increase default password salt size in BasePasswordHasher.
--------------------------------------+------------------------------------
Reporter: Jon Moroney | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: Utilities | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
Comment (by Jon Moroney):
Replying to [comment:8 Florian Apolloner]:
> Replying to [comment:5 felixxm]:
> > Florian, it seems that it's tested only in
[https://github.com/django/django/blob/master/tests/auth_tests/test_views.py#L1252-L1260
auth_tests.test_views.ChangelistTests].
>
> Mhm, what does this mean for existing password hashes, will they get
updated to the new salt length? I get the feeling that the module level
constant `CRYPTO_SALT_LENGTH` should be an attribute `salt_length` on
`BasePasswordHasher` and `must_update` should take this into account.
Would that change `must_update` at the `BasePasswordHasher` level to
something like
{{{
def must_update(self, encoded):
return self.salt_length == encoded.salt_length
}}}
?
If so, would that first require an update to go out with the attribute set
to 12?
--
Ticket URL: <https://code.djangoproject.com/ticket/31358#comment:9>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/066.9419fd7a4eee524d7d73a19aba51ba18%40djangoproject.com.
