Merge pull request #1644 from PaulMcMillan/bump_hash_iterations

Increase default PBKDF2 iterations
2025-11-03 05:13:23 +00:00 · 2013-09-19 12:17:56 -07:00 · 2013-09-19 12:17:56 -07:00 · f8f47718ab
commit f8f47718ab
parent 2c5c422d34 a075e2ad0d
5 changed files with 27 additions and 12 deletions
--- a/docs/internals/howto-release-django.txt
+++ b/docs/internals/howto-release-django.txt
@ -89,6 +89,13 @@ any time leading up to the actual release:
   key you'll use for the release, and should include patches for each issue
   being fixed.

+#. If this is a major release, make sure the tests pass, then increase
+   the default PBKDF2 iterations in
+   ``django.contrib.auth.hashers.PBKDF2PasswordHasher`` by about 10%
+   (pick a round number). Run the tests, and update the 3 failing
+   hasher tests with the new values. Make sure this gets noted in the
+   release notes (see release notes on 1.6 for an example).
+
 #. As the release approaches, watch Trac to make sure no release blockers
   are left for the upcoming release.

--- a/docs/releases/1.6.txt
+++ b/docs/releases/1.6.txt
@ -365,6 +365,13 @@ Minor features
  a list (except on SQLite). This has long been possible (but not officially
  supported) on MySQL and PostgreSQL, and is now also available on Oracle.

+* The default iteration count for the PBKDF2 password hasher has been
+  increased by 20%. This backwards compatible change will not affect
+  existing passwords or users who have subclassed
+  `django.contrib.auth.hashers.PBKDF2PasswordHasher`` to change the
+  default value.
+
+
 Backwards incompatible changes in 1.6
 =====================================