mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-08-04 02:48:35 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Fixed #26187 -- Removed weak password hashers from PASSWORD_HASHERS.

Browse source
This commit is contained in:
Tim Graham 2016-02-08 14:22:38 -05:00
parent b14470c7b7
commit 47b5a6a43c
5 changed files with 119 additions and 33 deletions
Download patch file Download diff file Expand all files Collapse all files

19
docs/ref/settings.txt
View file

@ -2686,13 +2686,22 @@ Default::
'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
'django.contrib.auth.hashers.BCryptPasswordHasher',
'django.contrib.auth.hashers.SHA1PasswordHasher',
'django.contrib.auth.hashers.MD5PasswordHasher',
'django.contrib.auth.hashers.UnsaltedSHA1PasswordHasher',
'django.contrib.auth.hashers.UnsaltedMD5PasswordHasher',
'django.contrib.auth.hashers.CryptPasswordHasher',
]
.. versionchanged:: 1.10
The following hashers were removed from the defaults::
'django.contrib.auth.hashers.SHA1PasswordHasher'
'django.contrib.auth.hashers.MD5PasswordHasher'
'django.contrib.auth.hashers.UnsaltedSHA1PasswordHasher'
'django.contrib.auth.hashers.UnsaltedMD5PasswordHasher'
'django.contrib.auth.hashers.CryptPasswordHasher'
Consider using a :ref:`wrapped password hasher <wrapping-password-hashers>`
to strengthen the hashes in your database. If that's not feasible, add this
setting to your project and add back any hashers that you need.
.. setting:: AUTH_PASSWORD_VALIDATORS
``AUTH_PASSWORD_VALIDATORS``