On Tuesday 09 June 2015 08:23:03 Ram Rachum wrote: > On Tue, Jun 9, 2015 at 8:22 AM, Curtis Maloney <[email protected]> > wrote: > > On 9 June 2015 at 15:16, Ram Rachum <[email protected]> wrote: > >> > >> What do you think about using the project's `SECRET_KEY` as an > >> additional salt in Django's password hashers? > > > I think it'd royally screw you over if you ever had to change your secret > > key [due to suspected leak, for example] as now all your passwords are > > invalid. > > > Okay, so how about if we use a separate secret? >
How is it different? If you suspect a leak that forces you to change the secret key, wouldn't you be forced to change this secret as well? Shai.
