Tim Graham
1915a7e5c5
Increased the default PBKDF2 iterations.
2016-05-20 09:19:19 -04:00
Bas Westerbaan
a5033dbc58
Refs #26033 -- Added password hasher support for Argon2 v1.3.
...
The previous version of Argon2 uses encoded hashes of the form:
$argon2d$m=8,t=1,p=1$<salt>$<data>
The new version of Argon2 adds its version into the hash:
$argon2d$v=19$m=8,t=1,p=1$<salt>$<data>
This lets Django handle both version properly.
2016-04-25 21:17:53 -04:00
Tim Graham
1243fdf5cb
Fixed #26395 -- Skipped the CryptPasswordHasher tests on platforms with a dummy crypt module.
2016-03-22 11:22:21 -04:00
Bas Westerbaan
b4250ea04a
Fixed #26033 -- Added Argon2 password hasher.
2016-03-08 11:22:18 -05:00
Florian Apolloner
67b46ba701
Fixed CVE-2016-2513 -- Fixed user enumeration timing attack during login.
...
This is a security fix.
2016-03-01 11:25:28 -05:00
Tim Graham
926d41f0e7
Updated some comments for BCryptSHA256PasswordHasher.
2016-02-11 11:57:12 -05:00
Matt Robenolt
8048411c97
Fixed a typo in BCryptPasswordHasher docstring
...
There is no BCryptSHA512PasswordHasher.
2016-01-09 12:14:51 -05:00
Tim Graham
f0ad641628
Fixed #26016 -- Restored contrib.auth hashers compatibility with py-bcrypt.
...
Reverted "Explicitly passed rounds as rounds to bcrypt.gensalt()"
This reverts commit 23529fb195
.
2016-01-02 06:54:13 -05:00
Tim Graham
593c9eb660
Increased the default PBKDF2 iterations for the 1.10 release cycle.
2015-09-23 19:31:11 -04:00
Curtis Maloney
23529fb195
Explicitly passed rounds as rounds to bcrypt.gensalt()
2015-07-13 12:35:24 -04:00
Tim Graham
b86abbceb9
Fixed #24115 -- Allowed bcrypt hashers to upgrade passwords on rounds change.
...
Thanks Florian Apolloner for the review.
2015-03-30 18:52:59 -04:00
Simon Charette
19f7278c86
Removed reference to iteration count in the PBKDF2 hasher docstring.
2015-02-20 16:37:29 -05:00
Frank Wiles
e43f99d1a9
Fixed PBKDF2PasswordHasher comments to reflect reality.
2015-02-20 16:00:51 -05:00
Tim Graham
0ed7d15563
Sorted imports with isort; refs #23860 .
2015-02-06 08:16:28 -05:00
Tim Graham
c51258882b
Increased the default PBKDF2 iterations.
2015-01-16 19:27:10 -05:00
Collin Anderson
5dddd79433
Fixed #20349 -- Moved setting_changed signal to django.core.signals.
...
This removes the need to load django.test when not testing.
2014-12-24 07:18:43 -05:00
Aymeric Augustin
dca33ac15d
Simplified caching of password hashers.
...
load_hashers cached its result regardless of its password_hashers
argument which required fragile cache invalidation. Remove that
argument in favor of @override_settings and triggering cache
invalidation with a signal.
2014-11-19 21:35:39 +01:00
Alex Gaynor
6732566967
Bump the default iterations for PBKDF2.
...
The rate at which we've increased this has not been keeping up with hardware (and software) improvements, and we're now considerably behind where we should be. The delta between our performance and an optimized implementation's performance prevents us from improving that further, but hopefully once Python 2.7.8 and 3.4+ get into more hands we can more aggressively increase this number.
2014-07-11 22:43:26 -07:00
Rodolfo Carvalho
0d91225892
Fixed many typos in comments and docstrings.
...
Thanks Piotr Kasprzyk for help with the patch.
2014-03-03 07:38:09 -05:00
Berker Peksag
5d263dee30
Fixed #21674 -- Deprecated the import_by_path() function in favor of import_string().
...
Thanks Aymeric Augustin for the suggestion and review.
2014-02-08 11:12:19 -05:00
Tim Graham
fddb0131d3
Fixed #21535 -- Fixed password hash iteration upgrade.
...
Thanks jared_mess for the report.
2013-11-30 14:18:37 -05:00
Tim Graham
d15985d81f
Fixed #21398 -- Fixed BCryptSHA256PasswordHasher with py-bcrypt and Python 3.
...
Thanks arjan at anymore.nl for the report.
2013-11-09 10:11:50 -05:00
Florian Apolloner
7d0d0dbf26
Force update of the password on iteration count changes.
2013-10-21 20:31:28 +02:00
Tim Graham
1dae4ac177
Whitespace cleanup.
...
* Removed trailing whitespace.
* Added newline to EOF if missing.
* Removed blank lines at EOF.
* Removed some stray tabs.
2013-10-10 16:49:20 -04:00
Florian Apolloner
5d74853e15
Revert "Ensure that passwords are never long enough for a DoS."
...
This reverts commit aae5a96d57
.
This fix is no longer necessary, our pbkdf2 (see next commit) implementation
no longer rehashes the password every iteration.
2013-09-24 21:01:21 +02:00
Paul McMillan
a075e2ad0d
Increase default PBKDF2 iterations
...
Increases the default PBKDF2 iterations, since computers have gotten
faster since 2011. In the future, we plan to increment by 10% per
major version.
2013-09-19 18:02:25 +01:00
Russell Keith-Magee
aae5a96d57
Ensure that passwords are never long enough for a DoS.
...
* Limit the password length to 4096 bytes
* Password hashers will raise a ValueError
* django.contrib.auth forms will fail validation
* Document in release notes that this is a backwards incompatible change
Thanks to Josh Wright for the report, and Donald Stufft for the patch.
This is a security fix; disclosure to follow shortly.
2013-09-15 13:42:23 +08:00
Gregor MacGregor
b2b763448f
Fixed #20841 -- Added messages to NotImplementedErrors
...
Thanks joseph at vertstudios.com for the suggestion.
2013-09-10 11:09:59 -04:00
Tim Graham
c7d0ff0cad
Fixed #20989 -- Removed explicit list comprehension inside dict() and tuple()
...
Thanks jeroen.pulles at redslider.net for the suggestion and
helper script.
2013-08-29 12:11:03 -04:00
Alex Gaynor
3e0eb2d788
Fixed a number of lint warnings, particularly around unused variables.
2013-08-04 09:17:10 -07:00
Curtis Maloney
07876cf02b
Deprecated SortedDict (replaced with collections.OrderedDict)
...
Thanks Loic Bistuer for the review.
2013-08-04 07:09:39 -04:00
Claude Paroz
fdd7a355bf
Deprecated django.utils.importlib
...
This was a shim for pre-Python 2.7 support.
2013-07-29 17:10:22 +02:00
Simon Charette
8759778185
Fixed #20675 -- `check_password` should work when no password is specified.
...
The regression was introduced by 2c4fe761a
. refs #20593 .
2013-07-03 14:09:58 -04:00
Erik Romijn
aeb1389442
Fixed #20079 -- Improve security of password reset tokens
2013-06-18 20:02:00 +02:00
Erik Romijn
2c4fe761a0
Fixed #20593 -- Allow blank passwords in check_password() and set_password()
2013-06-18 13:32:54 -04:00
Jaap Roes
990f8d92dc
Fixed #20599 -- Changed wording of ValueError raised by _load_library
...
The _load_library method on BasePasswordHasher turns ImportErrors
into ValueErrors, this masks ImportErrors in the algorithm library.
Changed it to a clearer worded error message that includes
the ImportError string.
2013-06-15 10:50:55 +02:00
Donald Stufft
8f0a4665d6
Recommend using the bcrypt library instead of py-bcrypt
...
* py-bcrypt has not been updated in some time
* py-bcrypt does not support Python3
* py3k-bcrypt, a port of py-bcrypt to python3 is not compatible
with Django
* bcrypt is supported on all versions of Python that Django
supports
2013-05-13 23:49:00 -04:00
Donald Stufft
3070e8f711
Properly force bytes or str for bcrypt on Python3
2013-05-11 11:16:06 -04:00
Donald Stufft
25f2acfed0
Fixed #20138 -- Added BCryptSHA256PasswordHasher
...
BCryptSHA256PasswordHasher pre-hashes the users password using
SHA256 to prevent the 72 byte truncation inherient in the BCrypt
algorithm.
2013-03-26 13:26:57 -04:00
Aymeric Augustin
f1255a3c09
Fixed #18144 -- Restored compatibility with SHA1 hashes with empty salt.
...
Thanks dahool for the report and initial version of the patch.
2013-02-25 20:21:58 +01:00
Claude Paroz
7c5b244826
Fixed #17061 -- Factored out importing object from a dotted path
...
Thanks Carl Meyer for the report.
2013-02-04 16:38:25 +01:00
Claude Paroz
1f8e7bb075
Added missing parentheses in if clause
2013-02-02 12:13:47 +01:00
Claude Paroz
63d6a50dd8
Fixed #18144 -- Added backwards compatibility with old unsalted MD5 passwords
...
Thanks apreobrazhensky at gmail.com for the report.
2013-02-02 12:02:36 +01:00
Claude Paroz
0dc3fc954f
Fixed #19509 -- Fixed crypt/bcrypt non-ascii password encoding
...
Also systematically added non-ascii passwords in hashers test suite.
Thanks Vaal for the report.
2012-12-22 16:04:10 +01:00
Claude Paroz
703c266682
Fixed #18182 -- Made is_usable_password check if hashing algorithm is correct
...
The display of the ReadOnlyPasswordHashWidget has also been improved to
distinguish empty/unusable password from erroneous password.
Fixed #18453 also.
Thanks danielr and Leo for the reports and Moritz Sichert for the
initial patch.
2012-09-12 11:32:50 +02:00
Claude Paroz
ebc773ada3
Replaced many smart_bytes by force_bytes
...
In all those occurrences, we didn't care about preserving the
lazy status of the strings, but we really wanted to obtain a
real bytestring.
2012-08-29 11:20:32 +02:00
Andrews Medina
87e0a75c03
[py3] Decoded base64-encoded hash in contrib.auth.hashers
2012-08-11 00:20:59 +02:00
Alex Gaynor
5f8da527ab
[py3k] use the base64 module, instead of bytes.encode('base64')
2012-08-09 07:26:11 -07:00
Aymeric Augustin
c5ef65bcf3
[py3] Ported django.utils.encoding.
...
* Renamed smart_unicode to smart_text (but kept the old name under
Python 2 for backwards compatibility).
* Renamed smart_str to smart_bytes.
* Re-introduced smart_str as an alias for smart_text under Python 3
and smart_bytes under Python 2 (which is backwards compatible).
Thus smart_str always returns a str objects.
* Used the new smart_str in a few places where both Python 2 and 3
want a str.
2012-08-07 12:00:22 +02:00
Claude Paroz
4a103086d5
Fixed #18269 -- Applied unicode_literals for Python 3 compatibility.
...
Thanks Vinay Sajip for the support of his django3 branch and
Jannis Leidel for the review.
2012-06-07 18:08:47 +02:00