#15367: Improved Auth Password Hashing
-------------------------------------------------------------------------+--
Reporter: poswald |
Owner: nobody
Status: new |
Milestone: 1.4
Component: Authentication |
Version: 1.2
Keywords: password, hash, hashing, bcrypt, scrypt, pbkdf2, sha2, sha1 |
Triage Stage: Unreviewed
Has patch: 0 |
-------------------------------------------------------------------------+--
As discussed on the django-developers mailing list, we aim to improve the
default password hashing algorithm Django uses. This ticket will track the
changes needed to upgrade the default algorithm to one more resistant to
brute force attacks. This may include improvements ease allowing the
developer to change the encryption used to a third party library wether
that is by configuration or by decoupling the authentication code from the
User model object.
If you would like to help, please be familiar with the summary and
decisions made in the following discussion at least starting from this
message:
http://groups.google.com/group/django-
developers/browse_thread/thread/928ed5db00d5b1d8/919ce4798d30656a?#919ce4798d30656a
Also be aware of the past issues surrounding this issue, specifically
ticket:13969 which currently has existing code:
ticket:3316 (Adding `crypt' to list of password hashes for legacy apps. -
closed: fixed)
ticket:5600 (Patch to enhance cryptography on django.contrib.auth -
closed: wontfix)
ticket:5787 (BCrypt password hashing support in Django - closed:
duplicate)
ticket:6028 (add compatibility with glibc2 MD5-based crypt passwords - new
)
ticket:9101 (Improved salt generation for django.contrib.auth - closed:
wontfix)
ticket:9194 (Allow additional hashing algorithms for passwords - closed:
duplicate)
ticket:13969 (auth module should use longer salt for hashing - new)
The plan at this point is to follow this path:
* Django ships with PBKDF2 by default. This depends on SHA2 which should
be python 2.5 compatible (due to hashlib being added in python 2.5) and
PBKDF2 is short and simple enough that it could be included into the
project. This satisfies NIST/US Gov requirements.
* SHA1 is maintained for backwards compatibility
* Salt size increased
* Configurable settings for the number of hashing rounds to future-proof
for faster hardware
We can also Investigate simplified ways of allowing developers to upgrade
the hashing library based on their requirements, however it is more
important to get the default improved and that is where we should focus.
--
Ticket URL: <http://code.djangoproject.com/ticket/15367>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
