Re: [Django] #15367: Improved Auth Password Hashing

Mon, 12 Sep 2011 06:37:51 -0700 

#15367: Improved Auth Password Hashing
-------------------------------------+-------------------------------------
               Reporter:  poswald    |          Owner:  jart
                   Type:  New        |         Status:  new
  feature                            |      Component:  contrib.auth
              Milestone:  1.4        |       Severity:  Normal
                Version:             |       Keywords:  password, hash,
             Resolution:             |  hashing, bcrypt, scrypt, pbkdf2,
           Triage Stage:  Accepted   |  sha2, sha1
    Needs documentation:  1          |      Has patch:  1
Patch needs improvement:  1          |    Needs tests:  1
                  UI/UX:  0          |  Easy pickings:  0
-------------------------------------+-------------------------------------
Changes (by jezdez):

 * needs_better_patch:  0 => 1
 * version:  1.2 =>


Comment:

 Hm, in the patch, why is this being put in `django.utils` instead of
 staying in `django.contrib.auth`? I'm asking cause I've specifically
 created `django.contrib.auth.utils` a couple of weeks ago in trunk. What
 about having this in `django.contrib.auth.hashing`

 Also, mind elaborating how the `PASSWORD_HASHERS` setting is supposed to
 be used? It seems a bit cumbersome to specify the setting if it can't be
 used like the `DATABASES` or `CACHES` setting. From what I understand is
 you only want to be able to specify the default hasher (atm the first item
 in the tuple, yuck) and some options. But switching the password hasher or
 changing an option of a password hasher isn't a common use case and
 therefor shouldn't be exposed like that as a multi-value setting. Instead
 subclassing and setting a single setting (named `AUTH_PASSWORD_HASHER`)
 ought to be enough, e.g.::

 {{{
     AUTH_PASSWORD_HASHER  = 'mysite.security.MyCustomBCryptPasswordHasher'
 }}}

 Also, please don't use backslashes but brackets for line continuation.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/15367#comment:7>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Reply via email to