diff --git a/django/contrib/auth/hashers.py b/django/contrib/auth/hashers.py index 0e44614fcbf..7a751a694e6 100644 --- a/django/contrib/auth/hashers.py +++ b/django/contrib/auth/hashers.py @@ -10,7 +10,7 @@ from django.core.exceptions import ImproperlyConfigured from django.core.signals import setting_changed from django.dispatch import receiver from django.utils.crypto import ( - constant_time_compare, get_random_string, pbkdf2, + RANDOM_STRING_CHARS, constant_time_compare, get_random_string, pbkdf2, ) from django.utils.module_loading import import_string from django.utils.translation import gettext_noop as _ @@ -190,8 +190,8 @@ class BasePasswordHasher: def salt(self): """Generate a cryptographically secure nonce salt in ASCII.""" - # 12 returns a 71-bit value, log_2((26+26+10)^12) =~ 71 bits - return get_random_string(12) + # 12 returns a 71-bit value, log_2(len(RANDOM_STRING_CHARS)^12) =~ 71 bits + return get_random_string(12, RANDOM_STRING_CHARS) def verify(self, password, encoded): """Check if the given password is correct.""" diff --git a/django/utils/crypto.py b/django/utils/crypto.py index 3837e64e05a..4fb3a9da9d4 100644 --- a/django/utils/crypto.py +++ b/django/utils/crypto.py @@ -47,14 +47,12 @@ def salted_hmac(key_salt, value, secret=None, *, algorithm='sha1'): NOT_PROVIDED = object() # RemovedInDjango40Warning. +RANDOM_STRING_CHARS = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789' # RemovedInDjango40Warning: when the deprecation ends, replace with: -# def get_random_string(length, allowed_chars='...'): -def get_random_string(length=NOT_PROVIDED, allowed_chars=( - 'abcdefghijklmnopqrstuvwxyz' - 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789' -)): +# def get_random_string(length, allowed_chars=RANDOM_STRING_CHARS): +def get_random_string(length=NOT_PROVIDED, allowed_chars=RANDOM_STRING_CHARS): """ Return a securely generated random string.