p15693087
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[1.7.x] Increased the default PBKDF2 iterations.

This commit is contained in:
Tim Graham 2015-01-03 13:36:13 -05:00
parent 0a06ae9ef3
commit 4aed731154
3 changed files with 11 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
django/contrib/auth/hashers.py
View File

@ -222,12 +222,12 @@ class PBKDF2PasswordHasher(BasePasswordHasher):
""" """
Secure password hashing using the PBKDF2 algorithm (recommended) Secure password hashing using the PBKDF2 algorithm (recommended)
Configured to use PBKDF2 + HMAC + SHA256 with 12000 iterations. Configured to use PBKDF2 + HMAC + SHA256 with 15000 iterations.
The result is a 64 byte binary string. Iterations may be changed The result is a 64 byte binary string. Iterations may be changed
safely but you must rename the algorithm if you change SHA256. safely but you must rename the algorithm if you change SHA256.
""" """
algorithm = "pbkdf2_sha256" algorithm = "pbkdf2_sha256"
iterations = 12000 iterations = 15000
digest = hashlib.sha256 digest = hashlib.sha256
def encode(self, password, salt, iterations=None): def encode(self, password, salt, iterations=None):

6
django/contrib/auth/tests/test_hashers.py
View File

@ -47,7 +47,7 @@ class TestUtilsHashPass(SimpleTestCase):
def test_pkbdf2(self): def test_pkbdf2(self):
encoded = make_password('lètmein', 'seasalt', 'pbkdf2_sha256') encoded = make_password('lètmein', 'seasalt', 'pbkdf2_sha256')
self.assertEqual(encoded, self.assertEqual(encoded,
'pbkdf2_sha256$12000$seasalt$Ybw8zsFxqja97tY/o6G+Fy1ksY4U/Hw3DRrGED6Up4s=') 'pbkdf2_sha256$15000$seasalt$+qoFTwR4r71UCLMhmQUCou/LMu17XwQWfYIVd/xJ1RI=')
self.assertTrue(is_password_usable(encoded)) self.assertTrue(is_password_usable(encoded))
self.assertTrue(check_password('lètmein', encoded)) self.assertTrue(check_password('lètmein', encoded))
self.assertFalse(check_password('lètmeinz', encoded)) self.assertFalse(check_password('lètmeinz', encoded))
@ -211,14 +211,14 @@ class TestUtilsHashPass(SimpleTestCase):
hasher = PBKDF2PasswordHasher() hasher = PBKDF2PasswordHasher()
encoded = hasher.encode('lètmein', 'seasalt2') encoded = hasher.encode('lètmein', 'seasalt2')
self.assertEqual(encoded, self.assertEqual(encoded,
'pbkdf2_sha256$12000$seasalt2$hlDLKsxgkgb1aeOppkM5atCYw5rPzAjCNQZ4NYyUROw=') 'pbkdf2_sha256$15000$seasalt2$uSQqI+91wgObKdP6L6S75LLzyxrZRWNcaujEZPA3/nA=')
self.assertTrue(hasher.verify('lètmein', encoded)) self.assertTrue(hasher.verify('lètmein', encoded))
def test_low_level_pbkdf2_sha1(self): def test_low_level_pbkdf2_sha1(self):
hasher = PBKDF2SHA1PasswordHasher() hasher = PBKDF2SHA1PasswordHasher()
encoded = hasher.encode('lètmein', 'seasalt2') encoded = hasher.encode('lètmein', 'seasalt2')
self.assertEqual(encoded, self.assertEqual(encoded,
'pbkdf2_sha1$12000$seasalt2$JeMRVfjjgtWw3/HzlnlfqBnQ6CA=') 'pbkdf2_sha1$15000$seasalt2$iYDXAPKgMsKMsarvA1MErD518Ug=')
self.assertTrue(hasher.verify('lètmein', encoded)) self.assertTrue(hasher.verify('lètmein', encoded))
def test_upgrade(self): def test_upgrade(self):

7
docs/releases/1.7.3.txt
View File

@ -11,4 +11,9 @@ Django 1.7.3 fixes several bugs in 1.7.2.
Bugfixes Bugfixes
======== ========
* ... * The default iteration count for the PBKDF2 password hasher has been
increased by 25%. This part of the normal major release process was
inadvertently omitted in 1.7. This backwards compatible change will not
affect users who have subclassed
``django.contrib.auth.hashers.PBKDF2PasswordHasher`` to change the
default value.