From a948d9df394aafded78d72b1daa785a0abfeab48 Mon Sep 17 00:00:00 2001 From: Mariusz Felisiak Date: Thu, 14 Jan 2021 10:46:29 +0100 Subject: [PATCH] Increased the default PBKDF2 iterations for Django 4.0. --- django/contrib/auth/hashers.py | 2 +- docs/releases/4.0.txt | 3 ++- tests/auth_tests/test_hashers.py | 6 +++--- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/django/contrib/auth/hashers.py b/django/contrib/auth/hashers.py index 86ae7f42a8b..e53e4da1934 100644 --- a/django/contrib/auth/hashers.py +++ b/django/contrib/auth/hashers.py @@ -265,7 +265,7 @@ class PBKDF2PasswordHasher(BasePasswordHasher): safely but you must rename the algorithm if you change SHA256. """ algorithm = "pbkdf2_sha256" - iterations = 260000 + iterations = 320000 digest = hashlib.sha256 def encode(self, password, salt, iterations=None): diff --git a/docs/releases/4.0.txt b/docs/releases/4.0.txt index c8106e2d397..52531c12666 100644 --- a/docs/releases/4.0.txt +++ b/docs/releases/4.0.txt @@ -42,7 +42,8 @@ Minor features :mod:`django.contrib.auth` ~~~~~~~~~~~~~~~~~~~~~~~~~~ -* ... +* The default iteration count for the PBKDF2 password hasher is increased from + 260,000 to 320,000. :mod:`django.contrib.contenttypes` ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/tests/auth_tests/test_hashers.py b/tests/auth_tests/test_hashers.py index 8bc61bc8b29..411bcea8e9c 100644 --- a/tests/auth_tests/test_hashers.py +++ b/tests/auth_tests/test_hashers.py @@ -63,7 +63,7 @@ class TestUtilsHashPass(SimpleTestCase): def test_pbkdf2(self): encoded = make_password('lètmein', 'seasalt', 'pbkdf2_sha256') - self.assertEqual(encoded, 'pbkdf2_sha256$260000$seasalt$YlZ2Vggtqdc61YjArZuoApoBh9JNGYoDRBUGu6tcJQo=') + self.assertEqual(encoded, 'pbkdf2_sha256$320000$seasalt$Toj2II2rBvFiGQcPmUml1Nlni2UtvyRWwz/jz4q6q/4=') self.assertTrue(is_password_usable(encoded)) self.assertTrue(check_password('lètmein', encoded)) self.assertFalse(check_password('lètmeinz', encoded)) @@ -314,13 +314,13 @@ class TestUtilsHashPass(SimpleTestCase): def test_low_level_pbkdf2(self): hasher = PBKDF2PasswordHasher() encoded = hasher.encode('lètmein', 'seasalt2') - self.assertEqual(encoded, 'pbkdf2_sha256$260000$seasalt2$UCGMhrOoaq1ghQPArIBK5RkI6IZLRxlIwHWA1dMy7y8=') + self.assertEqual(encoded, 'pbkdf2_sha256$320000$seasalt2$BRr4pYNIQDsLFP+u4dzjs7pFuWJEin4lFMMoO9wBYvo=') self.assertTrue(hasher.verify('lètmein', encoded)) def test_low_level_pbkdf2_sha1(self): hasher = PBKDF2SHA1PasswordHasher() encoded = hasher.encode('lètmein', 'seasalt2') - self.assertEqual(encoded, 'pbkdf2_sha1$260000$seasalt2$wAibXvW6jgvatCdONi6SMJ6q7mI=') + self.assertEqual(encoded, 'pbkdf2_sha1$320000$seasalt2$sDOkTvzV93jPWTRVxFGh50Jefo0=') self.assertTrue(hasher.verify('lètmein', encoded)) @skipUnless(bcrypt, 'bcrypt not installed')