On Mon, 2006-07-10 at 18:32 -0700, Vizcayno wrote: > When I create a new user in the Admin with all privileges, Django asks > for new user and password; When I type the password I can see what I > write, I think this field should be protected from seeing password.
Since it doesn't accept a cleartext password, there is no danger of snooping here. > After saving the new user I logout Admin, then I try to login with the > new user, the application denies to log in because it is wrong, however > I typed correctly user and password. When I see the database (table > auth_user), the password saved for the new user is not encrypted such > as the initial administrator is. > What is wrong? I suspect I'm going to regret answering this, but... It does not say to enter the plaintext password in that box. Underneath it it says "Use '[algo]$[salt]$[hexdigest]' ". So you have to enter the hashed version of the password. To create this string from the raw password, you have to use some code like that found in django.contrib.auth.models.User.setpassword() (you can't use that code precisely, because it is designed to work with a user object). <rant>I could give you the party line about why it is done like this, but I'm not going to bother. I don't find it to be a particularly defensible design, since it is an enormous hassle without being part of a uniformly strong security policy. Since I haven't done anything to fix it, though, I shouldn't lob any more crap in that direction.</rant> Malcolm --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users -~----------~----~----~----~------~----~------~--~---
