#15627: check_password should use constant_time_compare instead of == to check passwords ----------------------------+--------------------------- Reporter: hvdklauw | Owner: nobody Status: new | Milestone: 1.3 Component: Authentication | Version: 1.3-rc1 Keywords: | Triage Stage: Unreviewed Has patch: 1 | ----------------------------+--------------------------- I just noticed django doesn't use the constant_time_compare function in the check_password function in contrib.auth.models.
I'll add a patch that changes it, would be nice to have this little bit extra security in the 1.3 release. -- Ticket URL: <http://code.djangoproject.com/ticket/15627> Django <http://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-updates?hl=en.
