summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorRoy Zheng <roycraft3@gmail.com>2020-08-10 14:30:39 -0700
committerMariusz Felisiak <felisiak.mariusz@gmail.com>2020-08-11 08:20:56 +0200
commit02572bfc59d5f270b529be81c02ab236153eebf2 (patch)
tree6ecd906ad4cfd2b9921486c53ee8e61ccfe1a76c /docs
parenta1ce98fa6fba82fc0606b59a0e57b061d8997174 (diff)
[3.1.x] Added note about password updates on argon2 attributes change.
Backport of 804f2b70244d435c63f7f7c6312a829bc41b2ca4 from master
Diffstat (limited to 'docs')
-rw-r--r--docs/topics/auth/passwords.txt4
1 files changed, 2 insertions, 2 deletions
diff --git a/docs/topics/auth/passwords.txt b/docs/topics/auth/passwords.txt
index cc8ca55501..00381ecdeb 100644
--- a/docs/topics/auth/passwords.txt
+++ b/docs/topics/auth/passwords.txt
@@ -224,8 +224,8 @@ However, Django can only upgrade passwords that use algorithms mentioned in
:setting:`PASSWORD_HASHERS`, so as you upgrade to new systems you should make
sure never to *remove* entries from this list. If you do, users using
unmentioned algorithms won't be able to upgrade. Hashed passwords will be
-updated when increasing (or decreasing) the number of PBKDF2 iterations or
-bcrypt rounds.
+updated when increasing (or decreasing) the number of PBKDF2 iterations, bcrypt
+rounds, or argon2 attributes.
Be aware that if all the passwords in your database aren't encoded in the
default hasher's algorithm, you may be vulnerable to a user enumeration timing