mirror of https://github.com/django/django.git
Merge pull request #1062 from dstufft/switch-bcrypt-recommendations
Recommend using the bcrypt library instead of py-bcrypt
This commit is contained in:
commit
c792c83cad
|
@ -263,13 +263,13 @@ class BCryptSHA256PasswordHasher(BasePasswordHasher):
|
||||||
Secure password hashing using the bcrypt algorithm (recommended)
|
Secure password hashing using the bcrypt algorithm (recommended)
|
||||||
|
|
||||||
This is considered by many to be the most secure algorithm but you
|
This is considered by many to be the most secure algorithm but you
|
||||||
must first install the py-bcrypt library. Please be warned that
|
must first install the bcrypt library. Please be warned that
|
||||||
this library depends on native C code and might cause portability
|
this library depends on native C code and might cause portability
|
||||||
issues.
|
issues.
|
||||||
"""
|
"""
|
||||||
algorithm = "bcrypt_sha256"
|
algorithm = "bcrypt_sha256"
|
||||||
digest = hashlib.sha256
|
digest = hashlib.sha256
|
||||||
library = ("py-bcrypt", "bcrypt")
|
library = ("bcrypt", "bcrypt")
|
||||||
rounds = 12
|
rounds = 12
|
||||||
|
|
||||||
def salt(self):
|
def salt(self):
|
||||||
|
@ -329,7 +329,7 @@ class BCryptPasswordHasher(BCryptSHA256PasswordHasher):
|
||||||
Secure password hashing using the bcrypt algorithm
|
Secure password hashing using the bcrypt algorithm
|
||||||
|
|
||||||
This is considered by many to be the most secure algorithm but you
|
This is considered by many to be the most secure algorithm but you
|
||||||
must first install the py-bcrypt library. Please be warned that
|
must first install the bcrypt library. Please be warned that
|
||||||
this library depends on native C code and might cause portability
|
this library depends on native C code and might cause portability
|
||||||
issues.
|
issues.
|
||||||
|
|
||||||
|
|
|
@ -92,7 +92,7 @@ class TestUtilsHashPass(unittest.TestCase):
|
||||||
self.assertFalse(check_password('lètmeiz', encoded))
|
self.assertFalse(check_password('lètmeiz', encoded))
|
||||||
self.assertEqual(identify_hasher(encoded).algorithm, "crypt")
|
self.assertEqual(identify_hasher(encoded).algorithm, "crypt")
|
||||||
|
|
||||||
@skipUnless(bcrypt, "py-bcrypt not installed")
|
@skipUnless(bcrypt, "bcrypt not installed")
|
||||||
def test_bcrypt_sha256(self):
|
def test_bcrypt_sha256(self):
|
||||||
encoded = make_password('lètmein', hasher='bcrypt_sha256')
|
encoded = make_password('lètmein', hasher='bcrypt_sha256')
|
||||||
self.assertTrue(is_password_usable(encoded))
|
self.assertTrue(is_password_usable(encoded))
|
||||||
|
@ -108,7 +108,7 @@ class TestUtilsHashPass(unittest.TestCase):
|
||||||
self.assertTrue(check_password(password, encoded))
|
self.assertTrue(check_password(password, encoded))
|
||||||
self.assertFalse(check_password(password[:72], encoded))
|
self.assertFalse(check_password(password[:72], encoded))
|
||||||
|
|
||||||
@skipUnless(bcrypt, "py-bcrypt not installed")
|
@skipUnless(bcrypt, "bcrypt not installed")
|
||||||
def test_bcrypt(self):
|
def test_bcrypt(self):
|
||||||
encoded = make_password('lètmein', hasher='bcrypt')
|
encoded = make_password('lètmein', hasher='bcrypt')
|
||||||
self.assertTrue(is_password_usable(encoded))
|
self.assertTrue(is_password_usable(encoded))
|
||||||
|
|
|
@ -76,8 +76,8 @@ use it Django supports bcrypt with minimal effort.
|
||||||
|
|
||||||
To use Bcrypt as your default storage algorithm, do the following:
|
To use Bcrypt as your default storage algorithm, do the following:
|
||||||
|
|
||||||
1. Install the `py-bcrypt`_ library (probably by running ``sudo pip install
|
1. Install the `bcrypt library`_ (probably by running ``sudo pip install
|
||||||
py-bcrypt``, or downloading the library and installing it with ``python
|
bcrypt``, or downloading the library and installing it with ``python
|
||||||
setup.py install``).
|
setup.py install``).
|
||||||
|
|
||||||
2. Modify :setting:`PASSWORD_HASHERS` to list ``BCryptSHA256PasswordHasher``
|
2. Modify :setting:`PASSWORD_HASHERS` to list ``BCryptSHA256PasswordHasher``
|
||||||
|
@ -185,7 +185,7 @@ mentioned algorithms won't be able to upgrade.
|
||||||
.. _pbkdf2: http://en.wikipedia.org/wiki/PBKDF2
|
.. _pbkdf2: http://en.wikipedia.org/wiki/PBKDF2
|
||||||
.. _nist: http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf
|
.. _nist: http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf
|
||||||
.. _bcrypt: http://en.wikipedia.org/wiki/Bcrypt
|
.. _bcrypt: http://en.wikipedia.org/wiki/Bcrypt
|
||||||
.. _py-bcrypt: http://pypi.python.org/pypi/py-bcrypt/
|
.. _`bcrypt library`: https://pypi.python.org/pypi/bcrypt/
|
||||||
|
|
||||||
|
|
||||||
Manually managing a user's password
|
Manually managing a user's password
|
||||||
|
|
Loading…
Reference in New Issue