#15367: Improved Auth Password Hashing
-------------------------------------+-------------------------------------
Reporter: poswald | Owner: jart
Type: New | Status: new
feature | Component: contrib.auth
Milestone: 1.4 | Severity: Normal
Version: | Keywords: password, hash,
Resolution: | hashing, bcrypt, scrypt, pbkdf2,
Triage Stage: Accepted | sha2, sha1
Needs documentation: 1 | Has patch: 1
Patch needs improvement: 1 | Needs tests: 1
UI/UX: 0 | Easy pickings: 0
-------------------------------------+-------------------------------------
Comment (by carljm):
So the question of where the hashing code goes is a minor issue compared
to the bulk of the work here (which is awesome, btw), but since there is
an unresolved disagreement, I'll briefly summarize for posterity's sake
the points on either side from the conversation in IRC (jezdez, please
correct if I mis-represent anything):
In favor of putting it in django.utils.passhash, as the current patch does
(or django.core.passhash?):
* Contrib.auth is notorious for not being as flexible as people want (this
was raised numerous times at DjangoCon), and some people build their own
alternative auth solutions. It would be good for these people to use a
standard, common, well-tested-and-reviewed password hashing implementation
rather than rolling their own. Putting it in core encourages people to
perceive it as a low-level standard utility rather than a part of
contrib.auth, and doesn't require them to add a dependency to a contrib
app they don't otherwise use.
* Contrib.auth is likely to get a major overhaul soonish; it'd be good for
the password hashing implementation to not be subject to any upheavals or
namespace deprecations or whatnot that might be involved in that.
In favor of putting it in contrib.auth.utils:
* Nothing else in Django besides contrib.auth uses it, and password-
hashing isn't really useful outside of auth/auth, so it may as well be
part of contrib.auth, which is our only built-in auth/auth solution.
* django.utils is kind of a miscellaneous dumping ground for stuff, and
not everything in there is currently well-maintained (this was asserted,
anyway; I haven't checked myself to look for examples).
* A django.contrib.auth.utils module was recently added, and is now the
home of the current password-hashing code.
(In case it isn't clear, I favor putting it in core rather than contrib.)
--
Ticket URL: <https://code.djangoproject.com/ticket/15367#comment:14>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
