#31358: Increase default password salt size in BasePasswordHasher.
--------------------------------------+------------------------------------
Reporter: Jon Moroney | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: Utilities | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
Comment (by Florian Apolloner):
Replying to [comment:23 Jon Moroney]:
> I think it's probably better to require the decode function rather than
having to deal with if it exists or not and update salt lengths only if
the function does exist. I feel that having this be optional will only
lead to more headaches down the line.
I am not sure it is that hard, it would also help with backwards compat.
Ie have a default decode method in `BaseHasher` which return an empty dict
and then:
* When it is time to check the salt length (ie in `must_update`), call
`decode` and if there is no `salt` in it raise a
`PendingDeprecationWarning` (and then `DeprecationWarning` followed by an
error in subsequent Django versions [ie change the method to
NotImplemented]).
* We can immediately update builtin hashers with a new `decode` method
that gets used as needed (`safe_summary` and whereever decoding is
needed). This should also allow me to finally easily upgrade Argon hashing
to the "new" variant.
* This way 3rd party authors get the old salt for a while being able to
update as needed. This is probably necessary since we do not can argue the
salt change important enough to throw all backwards concerns over board.
> Let me know how you feel about this and I can update the PR to include
similar `decode()`s for the other hashers included.
Generally good, but I do not think that a `decode` as used here should
have translations for dictionary keys, that is solely for use in
`safe_summary` imo.
--
Ticket URL: <https://code.djangoproject.com/ticket/31358#comment:24>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/066.69b9e54dc825328bf7e14008b3321bd8%40djangoproject.com.
