diff options
| author | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2026-05-13 18:05:40 +0200 |
|---|---|---|
| committer | Jacob Walls <jacobtylerwalls@gmail.com> | 2026-05-20 16:17:41 -0400 |
| commit | e78a46a8fb291a11a31b6938b5089db1058f3925 (patch) | |
| tree | 92ca82ef03e7a884205aafa96445c13b8028c545 | |
| parent | 0c0bda7f79a2de89a55cfcc8e60467d6588f406f (diff) | |
Increased the default PBKDF2 iterations for Django 6.2.
| -rw-r--r-- | django/contrib/auth/hashers.py | 2 | ||||
| -rw-r--r-- | docs/releases/6.2.txt | 3 | ||||
| -rw-r--r-- | tests/auth_tests/test_hashers.py | 10 |
3 files changed, 8 insertions, 7 deletions
diff --git a/django/contrib/auth/hashers.py b/django/contrib/auth/hashers.py index 814185e51a..7e9b7c090a 100644 --- a/django/contrib/auth/hashers.py +++ b/django/contrib/auth/hashers.py @@ -324,7 +324,7 @@ class PBKDF2PasswordHasher(BasePasswordHasher): """ algorithm = "pbkdf2_sha256" - iterations = 1_500_000 + iterations = 1_800_000 digest = hashlib.sha256 def encode(self, password, salt, iterations=None): diff --git a/docs/releases/6.2.txt b/docs/releases/6.2.txt index 7ea0c58137..ba9396313d 100644 --- a/docs/releases/6.2.txt +++ b/docs/releases/6.2.txt @@ -47,7 +47,8 @@ Minor features :mod:`django.contrib.auth` ~~~~~~~~~~~~~~~~~~~~~~~~~~ -* ... +* The default iteration count for the PBKDF2 password hasher is increased from + 1,500,000 to 1,800,000. :mod:`django.contrib.contenttypes` ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/tests/auth_tests/test_hashers.py b/tests/auth_tests/test_hashers.py index 9fb7e3f95d..8815bb02d9 100644 --- a/tests/auth_tests/test_hashers.py +++ b/tests/auth_tests/test_hashers.py @@ -85,8 +85,8 @@ class TestUtilsHashPass(SimpleTestCase): encoded = make_password("lètmein", "seasalt", "pbkdf2_sha256") self.assertEqual( encoded, - "pbkdf2_sha256$1500000$" - "seasalt$P4UiMPVduVWIL/oS1GzH+IofsccjJNM5hUTikBvi5to=", + "pbkdf2_sha256$1800000$" + "seasalt$sXv9FzN4gEo6/P8G5H1jvir9BIb5e5EkXoVGyjOniNE=", ) self.assertTrue(is_password_usable(encoded)) self.assertTrue(check_password("lètmein", encoded)) @@ -279,8 +279,8 @@ class TestUtilsHashPass(SimpleTestCase): encoded = hasher.encode("lètmein", "seasalt2") self.assertEqual( encoded, - "pbkdf2_sha256$1500000$" - "seasalt2$xWKIh704updzhxL+vMfPbhVsHljK62FyE988AtcoHU4=", + "pbkdf2_sha256$1800000$" + "seasalt2$swjWuQn/bYIeQWF1JQRMdMdckgYo6ZXtwyjAMt8Nxdg=", ) self.assertTrue(hasher.verify("lètmein", encoded)) @@ -288,7 +288,7 @@ class TestUtilsHashPass(SimpleTestCase): hasher = PBKDF2SHA1PasswordHasher() encoded = hasher.encode("lètmein", "seasalt2") self.assertEqual( - encoded, "pbkdf2_sha1$1500000$seasalt2$ep4Ou2hnt2mlvMRsIjUln0Z5MYY=" + encoded, "pbkdf2_sha1$1800000$seasalt2$MEx5Z/KZ384PO7zdMHxMvXH2k3g=" ) self.assertTrue(hasher.verify("lètmein", encoded)) |