diff options
| author | Paul McMillan <Paul@McMillan.ws> | 2011-12-23 05:00:51 +0000 |
|---|---|---|
| committer | Paul McMillan <Paul@McMillan.ws> | 2011-12-23 05:00:51 +0000 |
| commit | 2d1a681f77259e9652c357a634920d7f8f1ecd97 (patch) | |
| tree | 711f095e8b62b2c63a3a7e0718360e4cfef82941 /docs | |
| parent | d49fd627a64aa888924ef463d4de59fc904c6609 (diff) | |
Added password hashing improvements to 1.4 alpha 1 release notes.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@17258 bcc190cf-cafb-0310-a4f2-bffc1f526a37
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/1.4-alpha-1.txt | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/docs/releases/1.4-alpha-1.txt b/docs/releases/1.4-alpha-1.txt index aa5bf54bef..4ab9e32280 100644 --- a/docs/releases/1.4-alpha-1.txt +++ b/docs/releases/1.4-alpha-1.txt @@ -99,6 +99,23 @@ allows you to fix a very common performance problem in which your code ends up doing O(n) database queries (or worse) if objects on your primary ``QuerySet`` each have many related objects that you also need. +Improved password hashing +~~~~~~~~~~~~~~~~~~~~~~~~~ + +Django's auth system (``django.contrib.auth``) stores passwords using a one-way +algorithm. Django 1.3 uses the SHA1_ algorithm, but increasing processor speeds +and theoretical attacks have revealed that SHA1 isn't as secure as we'd like. +Thus, Django 1.4 introduces a new password storage system: by default Django now +uses the PBKDF2_ algorithm (as recommended by NIST_). You can also easily choose +a different algorithm (including the popular bcrypt_ algorithm). For more +details, see :ref:`auth_password_storage`. + +.. _sha1: http://en.wikipedia.org/wiki/SHA1 +.. _pbkdf2: http://en.wikipedia.org/wiki/PBKDF2 +.. _nist: http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf +.. _bcrypt: http://en.wikipedia.org/wiki/Bcrypt + + HTML5 Doctype ~~~~~~~~~~~~~ |
