Fixed #26187 -- Removed weak password hashers from PASSWORD_HASHERS.

2025-08-04 02:48:35 +00:00 · 2016-02-08 14:22:38 -05:00 · 2016-02-08 14:22:38 -05:00 · 47b5a6a43c
commit 47b5a6a43c
parent b14470c7b7
5 changed files with 119 additions and 33 deletions
--- a/docs/topics/auth/passwords.txt
+++ b/docs/topics/auth/passwords.txt
@ -62,15 +62,13 @@ The default for :setting:`PASSWORD_HASHERS` is::
        'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
        'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
        'django.contrib.auth.hashers.BCryptPasswordHasher',
-        'django.contrib.auth.hashers.SHA1PasswordHasher',
-        'django.contrib.auth.hashers.MD5PasswordHasher',
-        'django.contrib.auth.hashers.CryptPasswordHasher',
    ]

-This means that Django will use PBKDF2_ to store all passwords, but will support
-checking passwords stored with PBKDF2SHA1, bcrypt_, SHA1_, etc. The next few
-sections describe a couple of common ways advanced users may want to modify this
-setting.
+This means that Django will use PBKDF2_ to store all passwords but will support
+checking passwords stored with PBKDF2SHA1 and bcrypt_.
+
+The next few sections describe a couple of common ways advanced users may want
+to modify this setting.

 .. _bcrypt_usage:

@ -96,13 +94,10 @@ To use Bcrypt as your default storage algorithm, do the following:
            'django.contrib.auth.hashers.BCryptPasswordHasher',
            'django.contrib.auth.hashers.PBKDF2PasswordHasher',
            'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
-            'django.contrib.auth.hashers.SHA1PasswordHasher',
-            'django.contrib.auth.hashers.MD5PasswordHasher',
-            'django.contrib.auth.hashers.CryptPasswordHasher',
        ]

-   (You need to keep the other entries in this list, or else Django won't
-   be able to upgrade passwords; see below).
+   Keep and/or add any entries in this list if you need Django to :ref:`upgrade
+   passwords <password-upgrades>`.

 That's it -- now your Django install will use Bcrypt as the default storage
 algorithm.
@ -168,12 +163,8 @@ default PBKDF2 algorithm:
            'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
            'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
            'django.contrib.auth.hashers.BCryptPasswordHasher',
-            'django.contrib.auth.hashers.SHA1PasswordHasher',
-            'django.contrib.auth.hashers.MD5PasswordHasher',
-            'django.contrib.auth.hashers.CryptPasswordHasher',
        ]

-
 That's it -- now your Django install will use more iterations when it
 stores passwords using PBKDF2.

@ -288,6 +279,37 @@ Include any other hashers that your site uses in this list.
 .. _bcrypt: https://en.wikipedia.org/wiki/Bcrypt
 .. _`bcrypt library`: https://pypi.python.org/pypi/bcrypt/

+.. _auth-included-hashers:
+
+Included hashers
+----------------
+
+The full list of hashers included in Django is::
+
+    [
+        'django.contrib.auth.hashers.PBKDF2PasswordHasher',
+        'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
+        'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
+        'django.contrib.auth.hashers.BCryptPasswordHasher',
+        'django.contrib.auth.hashers.SHA1PasswordHasher',
+        'django.contrib.auth.hashers.MD5PasswordHasher',
+        'django.contrib.auth.hashers.UnsaltedSHA1PasswordHasher',
+        'django.contrib.auth.hashers.UnsaltedMD5PasswordHasher',
+        'django.contrib.auth.hashers.CryptPasswordHasher',
+    ]
+
+The corresponding algorithm names are:
+
+* ``pbkdf2_sha256``
+* ``pbkdf2_sha1``
+* ``bcrypt_sha256``
+* ``bcrypt``
+* ``sha1``
+* ``md5``
+* ``unsalted_sha1``
+* ``unsalted_md5``
+* ``crypt``
+
 Manually managing a user's password
 ===================================

@ -311,13 +333,10 @@ from the ``User`` model.
    Creates a hashed password in the format used by this application. It takes
    one mandatory argument: the password in plain-text. Optionally, you can
    provide a salt and a hashing algorithm to use, if you don't want to use the
-    defaults (first entry of ``PASSWORD_HASHERS`` setting).
-    Currently supported algorithms are: ``'pbkdf2_sha256'``, ``'pbkdf2_sha1'``,
-    ``'bcrypt_sha256'`` (see :ref:`bcrypt_usage`), ``'bcrypt'``, ``'sha1'``,
-    ``'md5'``, ``'unsalted_md5'`` (only for backward compatibility) and ``'crypt'``
-    if you have the ``crypt`` library installed. If the password argument is
-    ``None``, an unusable password is returned (a one that will be never
-    accepted by :func:`check_password`).
+    defaults (first entry of ``PASSWORD_HASHERS`` setting). See
+    :ref:`auth-included-hashers` for the algorithm name of each hasher. If the
+    password argument is ``None``, an unusable password is returned (a one that
+    will be never accepted by :func:`check_password`).

 .. function:: is_password_usable(encoded_password)