On Sun, 12 Jan 2025 at 17:59, Tom Lane <t...@sss.pgh.pa.us> wrote: > "Peter J. Holzer" <hjp-pg...@hjp.at> writes: > > The web framework Django will automatically and transparently rehash any > > password with the currently preferred algorithm if it isn't stored that > > way already. > > Really? That implies that the framework has access to the original > cleartext password, which is a security fail already.
It happens upon user login. If the user's password is hashed with an old algorithm, it is re-hashed during login when the Django application running on the Web server has the password sent by the user: https://docs.djangoproject.com/en/5.1/topics/auth/passwords/#password-upgrading But of course this only works if the old method in use involves sending the password to the server.
