[Django] #37078: salted_hmac() defaults to SHA-1 algorithm despite SHA-256 being preferred everywhere else

[Django]

#37078: salted_hmac() defaults to SHA-1 algorithm despite SHA-256 being 
preferred
everywhere else
-------------------------------------+-------------------------------------
     Reporter:  Denny Biasiolli      |                     Type:
                                     |  Cleanup/optimization
       Status:  new                  |                Component:  Utilities
      Version:                       |                 Severity:  Normal
     Keywords:  security, crypto     |             Triage Stage:
                                     |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
 The `salted_hmac()` function (`crypto.py:19`) defaults to
 `algorithm="sha1"`. While HMAC-SHA1 is not cryptographically broken (HMAC
 construction is resistant to collision attacks), SHA-1 is deprecated by
 NIST and modern security standards recommend SHA-256 or stronger for all
 new applications.

 All security-sensitive callers within Django already override this default
 — `Signer` uses `sha256` (signing.py:193), `PasswordResetTokenGenerator`
 passes `sha256` explicitly, and session auth hashes use SHA-256. However,
 any third-party code or custom application calling `salted_hmac()` without
 specifying an algorithm will silently use SHA-1.

 ## Steps to Reproduce

 1. In any Django project, call:
    ```python
    from django.utils.crypto import salted_hmac
    mac = salted_hmac("my_salt", "my_value")
    print(mac.digest_size)  # 20 bytes = SHA-1
    ```
 2. Observe the HMAC uses SHA-1 without any explicit algorithm selection

 ## Expected Behavior

 `salted_hmac()` should default to `"sha256"` to match modern cryptographic
 best practices and align with Django's own internal usage.

 ## Actual Behavior

 `salted_hmac()` defaults to `algorithm="sha1"` (line 19 of `crypto.py`).
-- 
Ticket URL: <https://code.djangoproject.com/ticket/37078>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/0107019dda2efe36-d40d0965-174d-4b7d-8fa0-4f00d444aa9d-000000%40eu-central-1.amazonses.com.