Fixed #29161 -- Removed BCryptPasswordHasher from PASSWORD_HASHERS.

django/conf/global_settings.py

@@ -512,7 +512,6 @@ PASSWORD_HASHERS = [
     'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
     'django.contrib.auth.hashers.Argon2PasswordHasher',
     'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
-    'django.contrib.auth.hashers.BCryptPasswordHasher',
 ]
 
 AUTH_PASSWORD_VALIDATORS = []

docs/ref/settings.txt

@@ -2835,7 +2835,6 @@ Default::
         'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
         'django.contrib.auth.hashers.Argon2PasswordHasher',
         'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
-        'django.contrib.auth.hashers.BCryptPasswordHasher',
     ]
 
 .. setting:: AUTH_PASSWORD_VALIDATORS

docs/releases/2.1.txt

@@ -278,6 +278,23 @@ Dropped support for PostgreSQL 9.3
 The end of upstream support for PostgreSQL 9.3 is September 2018. Django 2.1
 supports PostgreSQL 9.4 and higher.
 
+Removed ``BCryptPasswordHasher`` from the default ``PASSWORD_HASHERS`` setting
+------------------------------------------------------------------------------
+
+If you used bcrypt with Django 1.4 or 1.5 (before ``BCryptSHA256PasswordHasher``
+was added in Django 1.6), you might have some passwords that use the
+``BCryptPasswordHasher`` hasher.
+
+You can check if that's the case like this::
+
+    from django.contrib.auth import get_user_model
+    User = get_user_model()
+    User.objects.filter(password__startswith='bcrypt$$')
+
+If you want to continue to allow those passwords to be used, you'll
+have to define the :setting:`PASSWORD_HASHERS` setting (if you don't already)
+and include ``'django.contrib.auth.hashers.BCryptPasswordHasher'``.
+
 Miscellaneous
 -------------
 

docs/topics/auth/passwords.txt

@@ -62,7 +62,6 @@ The default for :setting:`PASSWORD_HASHERS` is::
         'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
         'django.contrib.auth.hashers.Argon2PasswordHasher',
         'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
-        'django.contrib.auth.hashers.BCryptPasswordHasher',
     ]
 
 This means that Django will use PBKDF2_ to store all passwords but will support
@@ -99,7 +98,6 @@ To use Argon2 as your default storage algorithm, do the following:
             'django.contrib.auth.hashers.PBKDF2PasswordHasher',
             'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
             'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
-            'django.contrib.auth.hashers.BCryptPasswordHasher',
         ]
 
    Keep and/or add any entries in this list if you need Django to :ref:`upgrade
@@ -126,7 +124,6 @@ To use Bcrypt as your default storage algorithm, do the following:
 
         PASSWORD_HASHERS = [
             'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
-            'django.contrib.auth.hashers.BCryptPasswordHasher',
             'django.contrib.auth.hashers.PBKDF2PasswordHasher',
             'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
             'django.contrib.auth.hashers.Argon2PasswordHasher',
@@ -138,31 +135,6 @@ To use Bcrypt as your default storage algorithm, do the following:
 That's it -- now your Django install will use Bcrypt as the default storage
 algorithm.
 
-.. admonition:: Password truncation with BCryptPasswordHasher
-
-    The designers of bcrypt truncate all passwords at 72 characters which means
-    that ``bcrypt(password_with_100_chars) == bcrypt(password_with_100_chars[:72])``.
-    The original ``BCryptPasswordHasher`` does not have any special handling and
-    thus is also subject to this hidden password length limit.
-    ``BCryptSHA256PasswordHasher`` fixes this by first hashing the
-    password using sha256. This prevents the password truncation and so should
-    be preferred over the ``BCryptPasswordHasher``. The practical ramification
-    of this truncation is pretty marginal as the average user does not have a
-    password greater than 72 characters in length and even being truncated at 72
-    the compute powered required to brute force bcrypt in any useful amount of
-    time is still astronomical. Nonetheless, we recommend you use
-    ``BCryptSHA256PasswordHasher`` anyway on the principle of "better safe than
-    sorry".
-
-.. admonition:: Other bcrypt implementations
-
-   There are several other implementations that allow bcrypt to be
-   used with Django. Django's bcrypt support is NOT directly
-   compatible with these. To upgrade, you will need to modify the
-   hashes in your database to be in the form ``bcrypt$(raw bcrypt
-   output)``. For example:
-   ``bcrypt$$2a$12$NT0I31Sa7ihGEWpka9ASYrEFkhuTNeBQ2xfZskIiiJeyFXhRgS.Sy``.
-
 .. _increasing-password-algorithm-work-factor:
 
 Increasing the work factor
@@ -202,7 +174,6 @@ default PBKDF2 algorithm:
             'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
             'django.contrib.auth.hashers.Argon2PasswordHasher',
             'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
-            'django.contrib.auth.hashers.BCryptPasswordHasher',
         ]
 
 That's it -- now your Django install will use more iterations when it

tests/auth_tests/test_hashers.py

@@ -172,6 +172,7 @@ class TestUtilsHashPass(SimpleTestCase):
         self.assertFalse(check_password(' ', blank_encoded))
 
     @skipUnless(bcrypt, "bcrypt not installed")
+    @override_settings(PASSWORD_HASHERS=['django.contrib.auth.hashers.BCryptPasswordHasher'])
     def test_bcrypt(self):
         encoded = make_password('lètmein', hasher='bcrypt')
         self.assertTrue(is_password_usable(encoded))
@@ -187,6 +188,7 @@ class TestUtilsHashPass(SimpleTestCase):
         self.assertFalse(check_password(' ', blank_encoded))
 
     @skipUnless(bcrypt, "bcrypt not installed")
+    @override_settings(PASSWORD_HASHERS=['django.contrib.auth.hashers.BCryptPasswordHasher'])
     def test_bcrypt_upgrade(self):
         hasher = get_hasher('bcrypt')
         self.assertEqual('bcrypt', hasher.algorithm)
@@ -219,6 +221,7 @@ class TestUtilsHashPass(SimpleTestCase):
             hasher.rounds = old_rounds
 
     @skipUnless(bcrypt, "bcrypt not installed")
+    @override_settings(PASSWORD_HASHERS=['django.contrib.auth.hashers.BCryptPasswordHasher'])
     def test_bcrypt_harden_runtime(self):
         hasher = get_hasher('bcrypt')
         self.assertEqual('bcrypt', hasher.algorithm)