p15693087
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fixed #19562 -- cleaned up password storage docs

This commit is contained in:
Preston Holmes 2013-01-04 17:42:25 -08:00
parent b740da3504
commit c8eff0dbcb
1 changed files with 16 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
docs/topics/auth/passwords.txt
View File

@ -14,17 +14,19 @@ How Django stores passwords
=========================== ===========================
Django provides a flexible password storage system and uses PBKDF2 by default. Django provides a flexible password storage system and uses PBKDF2 by default.
Older versions of Django used SHA1, and other algorithms couldn't be chosen.
The :attr:`~django.contrib.auth.models.User.password` attribute of a The :attr:`~django.contrib.auth.models.User.password` attribute of a
:class:`~django.contrib.auth.models.User` object is a string in this format:: :class:`~django.contrib.auth.models.User` object is a string in this format::
algorithm$hash <algorithm>$<iterations>$<salt>$<hash>
That's a storage algorithm, and hash, separated by the dollar-sign Those are the components used for storing a User's password, separated by the
character. The algorithm is one of a number of one way hashing or password dollar-sign character and consist of: the hashing algorithm, the number of
storage algorithms Django can use; see below. The hash is the result of the one- algorithm iterations (work factor), the random salt, and the resulting password
way function. hash. The algorithm is one of a number of one-way hashing or password storage
algorithms Django can use; see below. Iterations describe the number of times
the algorithm is run over the hash. Salt is the random seed used and the hash
is the result of the one-way function.
By default, Django uses the PBKDF2_ algorithm with a SHA256 hash, a By default, Django uses the PBKDF2_ algorithm with a SHA256 hash, a
password stretching mechanism recommended by NIST_. This should be password stretching mechanism recommended by NIST_. This should be
@ -36,13 +38,14 @@ algorithm, or even use a custom algorithm to match your specific
security situation. Again, most users shouldn't need to do this -- if security situation. Again, most users shouldn't need to do this -- if
you're not sure, you probably don't. If you do, please read on: you're not sure, you probably don't. If you do, please read on:
Django chooses the an algorithm by consulting the :setting:`PASSWORD_HASHERS` Django chooses the algorithm to use by consulting the
setting. This is a list of hashing algorithm classes that this Django :setting:`PASSWORD_HASHERS` setting. This is a list of hashing algorithm
installation supports. The first entry in this list (that is, classes that this Django installation supports. The first entry in this list
``settings.PASSWORD_HASHERS[0]``) will be used to store passwords, and all the (that is, ``settings.PASSWORD_HASHERS[0]``) will be used to store passwords,
other entries are valid hashers that can be used to check existing passwords. and all the other entries are valid hashers that can be used to check existing
This means that if you want to use a different algorithm, you'll need to modify passwords. This means that if you want to use a different algorithm, you'll
:setting:`PASSWORD_HASHERS` to list your preferred algorithm first in the list. need to modify :setting:`PASSWORD_HASHERS` to list your preferred algorithm
first in the list.
The default for :setting:`PASSWORD_HASHERS` is:: The default for :setting:`PASSWORD_HASHERS` is::