#13969: auth module should use longer salt for hashing --------------------------+------------------------------------------------- Reporter: cyounkins | Owner: nobody Status: new | Milestone: Component: Contrib apps | Version: 1.2 Keywords: security | Stage: Unreviewed Has_patch: 0 | --------------------------+------------------------------------------------- As noted here - http://www.pythonsecurity.org/wiki/django/#authentication - the current auth module uses 5 hexadecimal characters as a salt. This is equivalent to 20 bits (log base 2 of 16^5). See http://code.djangoproject.com/browser/django/tags/releases/1.2.1/django/contrib/auth/models.py#L240
PKCS5 v2.1 draft (http://www.rsa.com/rsalabs/node.asp?id=2127) recommends that a salt of at least 64 bits be used. This will strengthen the password scheme by increasing the time needed for dictionary attacks. -- Ticket URL: <http://code.djangoproject.com/ticket/13969> Django <http://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To post to this group, send email to django-upda...@googlegroups.com. To unsubscribe from this group, send email to django-updates+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-updates?hl=en.
