Added password hashing improvements to 1.4 alpha 1 release notes.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17258 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Paul McMillan
parent
d49fd627a6
commit
2d1a681f77
|
|
@ -99,6 +99,23 @@ allows you to fix a very common performance problem in which your code ends up
|
||||||
doing O(n) database queries (or worse) if objects on your primary ``QuerySet``
|
doing O(n) database queries (or worse) if objects on your primary ``QuerySet``
|
||||||
each have many related objects that you also need.
|
each have many related objects that you also need.
|
||||||
|
|
||||||
|
Improved password hashing
|
||||||
|
~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
Django's auth system (``django.contrib.auth``) stores passwords using a one-way
|
||||||
|
algorithm. Django 1.3 uses the SHA1_ algorithm, but increasing processor speeds
|
||||||
|
and theoretical attacks have revealed that SHA1 isn't as secure as we'd like.
|
||||||
|
Thus, Django 1.4 introduces a new password storage system: by default Django now
|
||||||
|
uses the PBKDF2_ algorithm (as recommended by NIST_). You can also easily choose
|
||||||
|
a different algorithm (including the popular bcrypt_ algorithm). For more
|
||||||
|
details, see :ref:`auth_password_storage`.
|
||||||
|
|
||||||
|
.. _sha1: http://en.wikipedia.org/wiki/SHA1
|
||||||
|
.. _pbkdf2: http://en.wikipedia.org/wiki/PBKDF2
|
||||||
|
.. _nist: http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf
|
||||||
|
.. _bcrypt: http://en.wikipedia.org/wiki/Bcrypt
|
||||||
|
|
||||||
|
|
||||||
HTML5 Doctype
|
HTML5 Doctype
|
||||||
~~~~~~~~~~~~~
|
~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue