Hi Tim, I would suggest removing those hashers from the default list, but keeping at least the django.contrib.auth.hashers.UnsaltedMD5PasswordHasher around.
That hasher, being the fastest non-plaintext hasher around, is quite useful when running tests: it allows login checks to be performed much faster. Beyond this, the idea seems great — it's still pretty easy for a site to keep them around if it needs them. -- Raphaël On Tue, 2 Feb 2016 08:10:50 -0800 (PST) Tim Graham <[email protected]> wrote: > Django 0.90 stored passwords as unsalted MD5. Django 0.91 added support for > salted SHA1 with automatic upgrade of passwords [0]. > > In Django 1.4, the new password hashing machinery was added and some users > complained that they couldn't upgrade because the password format from > Django 0.90 was no longer accepted (passwords encodings starting with > "md5$$" or "sha1$$", though the ticket suggests Django never used the > latter prefix) [1]. > > I wonder if it's about time to remove these hashers [2]? I think it'd be > okay for users who haven't logged in since Django 0.90 to reset their > password (assuming the site provides that mechanism). I would consider > recommending that site administrators mark any unsalted passwords > "unusable" to mitigate the possibility of leaking unsalted passwords in the > event the database is compromised. > > I think this is as simple as: > > users = User.objects.filter(password__startswith='md5$$') > for user in users: > user.set_unusable_password() > user.save(update_fields=['password'] > > [0] https://code.djangoproject.com/ticket/18144#comment:18 > [1] https://code.djangoproject.com/ticket/18144 > [2] > https://github.com/django/django/compare/master...timgraham:remove-unsalted-hashers > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/20160202182336.719be5ca%40ithor.polyconseil.fr. For more options, visit https://groups.google.com/d/optout.
