Fixed #31358 -- Increased salt entropy of password hashers.

Co-authored-by: Florian Apolloner <florian@apolloner.eu>
2025-08-03 18:38:50 +00:00 · 2020-06-24 19:28:07 -07:00 · 2020-06-24 19:28:07 -07:00 · 76ae6ccf85
commit 76ae6ccf85
parent 6bd206e1ff
5 changed files with 77 additions and 7 deletions
--- a/docs/topics/auth/passwords.txt
+++ b/docs/topics/auth/passwords.txt
@ -137,6 +137,26 @@ To use Bcrypt as your default storage algorithm, do the following:
 That's it -- now your Django install will use Bcrypt as the default storage
 algorithm.

+Increasing the salt entropy
+---------------------------
+
+.. versionadded:: 3.2
+
+Most password hashes include a salt along with their password hash in order to
+protect against rainbow table attacks. The salt itself is a random value which
+increases the size and thus the cost of the rainbow table and is currently set
+at 128 bits with the ``salt_entropy`` value in the ``BasePasswordHasher``. As
+computing and storage costs decrease this value should be raised. When
+implementing your own password hasher you are free to override this value in
+order to use a desired entropy level for your password hashes. ``salt_entropy``
+is measured in bits.
+
+.. admonition:: Implementation detail
+
+    Due to the method in which salt values are stored the ``salt_entropy``
+    value is effectively a minimum value. For instance a value of 128 would
+    provide a salt which would actually contain 131 bits of entropy.
+
 .. _increasing-password-algorithm-work-factor:

 Increasing the work factor