mirror of https://github.com/django/django.git
Fixed #19562 -- cleaned up password storage docs
This commit is contained in:
parent
b740da3504
commit
c8eff0dbcb
|
@ -14,17 +14,19 @@ How Django stores passwords
|
||||||
===========================
|
===========================
|
||||||
|
|
||||||
Django provides a flexible password storage system and uses PBKDF2 by default.
|
Django provides a flexible password storage system and uses PBKDF2 by default.
|
||||||
Older versions of Django used SHA1, and other algorithms couldn't be chosen.
|
|
||||||
|
|
||||||
The :attr:`~django.contrib.auth.models.User.password` attribute of a
|
The :attr:`~django.contrib.auth.models.User.password` attribute of a
|
||||||
:class:`~django.contrib.auth.models.User` object is a string in this format::
|
:class:`~django.contrib.auth.models.User` object is a string in this format::
|
||||||
|
|
||||||
algorithm$hash
|
<algorithm>$<iterations>$<salt>$<hash>
|
||||||
|
|
||||||
That's a storage algorithm, and hash, separated by the dollar-sign
|
Those are the components used for storing a User's password, separated by the
|
||||||
character. The algorithm is one of a number of one way hashing or password
|
dollar-sign character and consist of: the hashing algorithm, the number of
|
||||||
storage algorithms Django can use; see below. The hash is the result of the one-
|
algorithm iterations (work factor), the random salt, and the resulting password
|
||||||
way function.
|
hash. The algorithm is one of a number of one-way hashing or password storage
|
||||||
|
algorithms Django can use; see below. Iterations describe the number of times
|
||||||
|
the algorithm is run over the hash. Salt is the random seed used and the hash
|
||||||
|
is the result of the one-way function.
|
||||||
|
|
||||||
By default, Django uses the PBKDF2_ algorithm with a SHA256 hash, a
|
By default, Django uses the PBKDF2_ algorithm with a SHA256 hash, a
|
||||||
password stretching mechanism recommended by NIST_. This should be
|
password stretching mechanism recommended by NIST_. This should be
|
||||||
|
@ -36,13 +38,14 @@ algorithm, or even use a custom algorithm to match your specific
|
||||||
security situation. Again, most users shouldn't need to do this -- if
|
security situation. Again, most users shouldn't need to do this -- if
|
||||||
you're not sure, you probably don't. If you do, please read on:
|
you're not sure, you probably don't. If you do, please read on:
|
||||||
|
|
||||||
Django chooses the an algorithm by consulting the :setting:`PASSWORD_HASHERS`
|
Django chooses the algorithm to use by consulting the
|
||||||
setting. This is a list of hashing algorithm classes that this Django
|
:setting:`PASSWORD_HASHERS` setting. This is a list of hashing algorithm
|
||||||
installation supports. The first entry in this list (that is,
|
classes that this Django installation supports. The first entry in this list
|
||||||
``settings.PASSWORD_HASHERS[0]``) will be used to store passwords, and all the
|
(that is, ``settings.PASSWORD_HASHERS[0]``) will be used to store passwords,
|
||||||
other entries are valid hashers that can be used to check existing passwords.
|
and all the other entries are valid hashers that can be used to check existing
|
||||||
This means that if you want to use a different algorithm, you'll need to modify
|
passwords. This means that if you want to use a different algorithm, you'll
|
||||||
:setting:`PASSWORD_HASHERS` to list your preferred algorithm first in the list.
|
need to modify :setting:`PASSWORD_HASHERS` to list your preferred algorithm
|
||||||
|
first in the list.
|
||||||
|
|
||||||
The default for :setting:`PASSWORD_HASHERS` is::
|
The default for :setting:`PASSWORD_HASHERS` is::
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue