From 04a208d7f19f393ad92ba7cef31842318be2d38a Mon Sep 17 00:00:00 2001 From: Natalia <124304+nessita@users.noreply.github.com> Date: Fri, 3 May 2024 16:04:07 -0300 Subject: [PATCH] Increased the default PBKDF2 iterations for Django 5.2. --- django/contrib/auth/hashers.py | 2 +- docs/releases/5.2.txt | 3 ++- tests/auth_tests/test_hashers.py | 9 +++++---- 3 files changed, 8 insertions(+), 6 deletions(-) diff --git a/django/contrib/auth/hashers.py b/django/contrib/auth/hashers.py index b5397475611..a2ef1dae11c 100644 --- a/django/contrib/auth/hashers.py +++ b/django/contrib/auth/hashers.py @@ -312,7 +312,7 @@ class PBKDF2PasswordHasher(BasePasswordHasher): """ algorithm = "pbkdf2_sha256" - iterations = 870000 + iterations = 1_000_000 digest = hashlib.sha256 def encode(self, password, salt, iterations=None): diff --git a/docs/releases/5.2.txt b/docs/releases/5.2.txt index 5c285e8f399..9d28415df19 100644 --- a/docs/releases/5.2.txt +++ b/docs/releases/5.2.txt @@ -47,7 +47,8 @@ Minor features :mod:`django.contrib.auth` ~~~~~~~~~~~~~~~~~~~~~~~~~~ -* ... +* The default iteration count for the PBKDF2 password hasher is increased from + 870,000 to 1,000,000. :mod:`django.contrib.contenttypes` ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/tests/auth_tests/test_hashers.py b/tests/auth_tests/test_hashers.py index bec298cc3a0..09d7056411f 100644 --- a/tests/auth_tests/test_hashers.py +++ b/tests/auth_tests/test_hashers.py @@ -83,7 +83,8 @@ class TestUtilsHashPass(SimpleTestCase): encoded = make_password("lètmein", "seasalt", "pbkdf2_sha256") self.assertEqual( encoded, - "pbkdf2_sha256$870000$seasalt$wJSpLMQRQz0Dhj/pFpbyjMj71B2gUYp6HJS5AU+32Ac=", + "pbkdf2_sha256$1000000$" + "seasalt$r1uLUxoxpP2Ued/qxvmje7UH9PUJBkRrvf9gGPL7Cps=", ) self.assertTrue(is_password_usable(encoded)) self.assertTrue(check_password("lètmein", encoded)) @@ -276,8 +277,8 @@ class TestUtilsHashPass(SimpleTestCase): encoded = hasher.encode("lètmein", "seasalt2") self.assertEqual( encoded, - "pbkdf2_sha256$870000$" - "seasalt2$nxgnNHRsZWSmi4hRSKq2MRigfaRmjDhH1NH4g2sQRbU=", + "pbkdf2_sha256$1000000$" + "seasalt2$egbhFghgsJVDo5Tpg/k9ZnfbySKQ1UQnBYXhR97a7sk=", ) self.assertTrue(hasher.verify("lètmein", encoded)) @@ -285,7 +286,7 @@ class TestUtilsHashPass(SimpleTestCase): hasher = PBKDF2SHA1PasswordHasher() encoded = hasher.encode("lètmein", "seasalt2") self.assertEqual( - encoded, "pbkdf2_sha1$870000$seasalt2$iFPKnrkYfxxyxaeIqxq+c3nJ/j4=" + encoded, "pbkdf2_sha1$1000000$seasalt2$3R9hvSAiAy5ARspAFy5GJ/2rjXo=" ) self.assertTrue(hasher.verify("lètmein", encoded))