We've added extra security to the stored passwords in Django's authentication system. Thanks to a patch from GomoX, passwords are now stored with a salt and use SHA-1 encryption instead of MD5.
This change is backwards-incompatible, because two things have changed: the name of the database field (changed from "password_md5" to "password") and the length of the field (from 32 to 128). See the backwards-incompatible changes page for information on how to change your database. It's an easy update. http://code.djangoproject.com/wiki/BackwardsIncompatibleChanges Of course, the password data itself *is* backwards-compatible. If Django finds a password in the old format (encrypted as MD5), it will transparently change the password's encryption to the new format (salted SHA-1) the first time user.check_password() is successfully called. See the new Passwords section of the authentication docs for full information: http://www.djangoproject.com/documentation/authentication/#passwords Finally, note that this change applies only to the Django development version. If you're using Django 0.90, you won't see this change until the next release. Adrian -- Adrian Holovaty holovaty.com | djangoproject.com | chicagocrime.org
