I kept meaning to weigh in on this... but all my points have been made.
It sounds like the middle ground is to:
1) remove them from the default list
2) keep them in the codebase
3) make them noisy (raise warnings)
4) provide docs/tools on how to upgrade
Then we get "secure by default" (1), as well as "encouraging upgrades"
(3), whilst also "supporting slow-to-update installs" (4), and
"encouraging best practices" (3).
--
C
On 06/02/16 19:51, Aymeric Augustin wrote:
Yes, that would be good from the “security by default” standpoint. This
would also allow us to trim the full list of hashers which is repeated
several times in the docs.
--
Aymeric.
On 6 févr. 2016, at 00:03, Tim Graham <[email protected]
<mailto:[email protected]>> wrote:
I would guess most users aren't customizing the default list of
hashers, so I'd rather remove weak hashers from the PASSWORD_HASHERS
setting and let anyone who needs to use a weak hasher define their own
setting (at which point a warning probably isn't needed). Does that
seem okay?
On Friday, February 5, 2016 at 3:20:41 PM UTC-5, Aymeric Augustin wrote:
Adding a check for weak password hashers could be a good
compromise to drive attention to the issue but make it reasonably
easy to ignore it if you need MD5 for compatibility with other
systems.
--
Aymeric.
On 5 févr. 2016, at 21:11, Sergei Maertens <[email protected]
<javascript:>> wrote:
This is my main concern as well. I often migrate old Joomla or
other PHP things that use md5, and it's really convenient that
Django upgrades the passwords for free for me.
Although I guess I could just write the hasher as part of the
project and add it to the setting, but then that's an additional
burding because you need to keep track of potential new hashers
that get added in the default settings.
On Friday, February 5, 2016 at 1:05:01 PM UTC+1, Rafał Pitoń wrote:
Will I still be able to implement unsalted hasher if I so desire?
Don't get me wrong, I understand thats pretty crappy way to
store password, but there are times when you inherit large
set of data from site that you are moving from some old PHP
contraption that happens to be around since 2006, is big
(>1000000 users), ran by company that dominates one of
nation's markets and says "absolutely no" on making all those
housewifes reset passwords, and your passwords happen to use
md5(md5(pass) + md5(pass)) for passwords?
--
You received this message because you are subscribed to the
Google Groups "Django developers (Contributions to Django
itself)" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected] <javascript:>.
To post to this group, send email to [email protected]
<javascript:>.
Visit this group at
https://groups.google.com/group/django-developers
<https://groups.google.com/group/django-developers>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/56677162-c020-4c2f-8d1f-b35ec0b9874d%40googlegroups.com
<https://groups.google.com/d/msgid/django-developers/56677162-c020-4c2f-8d1f-b35ec0b9874d%40googlegroups.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout
<https://groups.google.com/d/optout>.
--
You received this message because you are subscribed to the Google
Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected]
<mailto:[email protected]>.
To post to this group, send email to
[email protected]
<mailto:[email protected]>.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/9e184cd6-69cc-4fe8-835e-055bc7121ac9%40googlegroups.com
<https://groups.google.com/d/msgid/django-developers/9e184cd6-69cc-4fe8-835e-055bc7121ac9%40googlegroups.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google
Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected]
<mailto:[email protected]>.
To post to this group, send email to [email protected]
<mailto:[email protected]>.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/5081977A-64B0-4443-ADDE-CEFCC5704E72%40polytechnique.org
<https://groups.google.com/d/msgid/django-developers/5081977A-64B0-4443-ADDE-CEFCC5704E72%40polytechnique.org?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Django
developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/56B5B510.8040309%40tinbrain.net.
For more options, visit https://groups.google.com/d/optout.
