Increased the default PBKDF2 iterations for Django 5.2.

2024-05-03 16:04:07 -03:00 · 2024-05-03 16:04:07 -03:00 · 04a208d7f1
parent 3a748cd0f5
commit 04a208d7f1
3 changed files with 8 additions and 6 deletions
--- a/django/contrib/auth/hashers.py
+++ b/django/contrib/auth/hashers.py
@ -312,7 +312,7 @@ class PBKDF2PasswordHasher(BasePasswordHasher):
    """

    algorithm = "pbkdf2_sha256"
-    iterations = 870000
+    iterations = 1_000_000
    digest = hashlib.sha256

    def encode(self, password, salt, iterations=None):
--- a/docs/releases/5.2.txt
+++ b/docs/releases/5.2.txt
@ -47,7 +47,8 @@ Minor features
 :mod:`django.contrib.auth`
 ~~~~~~~~~~~~~~~~~~~~~~~~~~

-* ...
+* The default iteration count for the PBKDF2 password hasher is increased from
+  870,000 to 1,000,000.

 :mod:`django.contrib.contenttypes`
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--- a/tests/auth_tests/test_hashers.py
+++ b/tests/auth_tests/test_hashers.py
@ -83,7 +83,8 @@ class TestUtilsHashPass(SimpleTestCase):
        encoded = make_password("lètmein", "seasalt", "pbkdf2_sha256")
        self.assertEqual(
            encoded,
-            "pbkdf2_sha256$870000$seasalt$wJSpLMQRQz0Dhj/pFpbyjMj71B2gUYp6HJS5AU+32Ac=",
+            "pbkdf2_sha256$1000000$"
+            "seasalt$r1uLUxoxpP2Ued/qxvmje7UH9PUJBkRrvf9gGPL7Cps=",
        )
        self.assertTrue(is_password_usable(encoded))
        self.assertTrue(check_password("lètmein", encoded))
@ -276,8 +277,8 @@ class TestUtilsHashPass(SimpleTestCase):
        encoded = hasher.encode("lètmein", "seasalt2")
        self.assertEqual(
            encoded,
-            "pbkdf2_sha256$870000$"
-            "seasalt2$nxgnNHRsZWSmi4hRSKq2MRigfaRmjDhH1NH4g2sQRbU=",
+            "pbkdf2_sha256$1000000$"
+            "seasalt2$egbhFghgsJVDo5Tpg/k9ZnfbySKQ1UQnBYXhR97a7sk=",
        )
        self.assertTrue(hasher.verify("lètmein", encoded))

@ -285,7 +286,7 @@ class TestUtilsHashPass(SimpleTestCase):
        hasher = PBKDF2SHA1PasswordHasher()
        encoded = hasher.encode("lètmein", "seasalt2")
        self.assertEqual(
-            encoded, "pbkdf2_sha1$870000$seasalt2$iFPKnrkYfxxyxaeIqxq+c3nJ/j4="
+            encoded, "pbkdf2_sha1$1000000$seasalt2$3R9hvSAiAy5ARspAFy5GJ/2rjXo="
        )
        self.assertTrue(hasher.verify("lètmein", encoded))