diff options
| author | Claude Paroz <claude@2xlibre.net> | 2022-07-23 12:45:24 +0200 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2022-07-23 21:29:31 +0200 |
| commit | 3b79dab19a2300a4884a3d81baa6c7c1f2dee059 (patch) | |
| tree | 325e7d980634e695bee88b6a1ccb2e48c14660da /docs | |
| parent | a46dfa87d0ba690125be98f7f1b77062a1794fdc (diff) | |
Refs #33691 -- Deprecated insecure password hashers.
SHA1PasswordHasher, UnsaltedSHA1PasswordHasher, and UnsaltedMD5PasswordHasher
are now deprecated.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/internals/deprecation.txt | 4 | ||||
| -rw-r--r-- | docs/releases/4.2.txt | 4 | ||||
| -rw-r--r-- | docs/topics/auth/passwords.txt | 45 |
3 files changed, 27 insertions, 26 deletions
diff --git a/docs/internals/deprecation.txt b/docs/internals/deprecation.txt index 43c7a0fee9..80597eb95b 100644 --- a/docs/internals/deprecation.txt +++ b/docs/internals/deprecation.txt @@ -24,6 +24,10 @@ details on these changes. * The ``length_is`` template filter will be removed. +* The ``django.contrib.auth.hashers.SHA1PasswordHasher``, + ``django.contrib.auth.hashers.UnsaltedSHA1PasswordHasher``, and + ``django.contrib.auth.hashers.UnsaltedMD5PasswordHasher`` will be removed. + .. _deprecation-removed-in-5.0: 5.0 diff --git a/docs/releases/4.2.txt b/docs/releases/4.2.txt index 0846f05e2c..1d55ea2f68 100644 --- a/docs/releases/4.2.txt +++ b/docs/releases/4.2.txt @@ -332,3 +332,7 @@ Miscellaneous {% if value|length_is:4 %}…{% endif %} {{ value|length_is:4 }} + +* ``django.contrib.auth.hashers.SHA1PasswordHasher``, + ``django.contrib.auth.hashers.UnsaltedSHA1PasswordHasher``, and + ``django.contrib.auth.hashers.UnsaltedMD5PasswordHasher`` are deprecated. diff --git a/docs/topics/auth/passwords.txt b/docs/topics/auth/passwords.txt index 3836ab4006..25c98bf786 100644 --- a/docs/topics/auth/passwords.txt +++ b/docs/topics/auth/passwords.txt @@ -329,12 +329,12 @@ to mitigate this by :ref:`upgrading older password hashes Password upgrading without requiring a login -------------------------------------------- -If you have an existing database with an older, weak hash such as MD5 or SHA1, -you might want to upgrade those hashes yourself instead of waiting for the -upgrade to happen when a user logs in (which may never happen if a user doesn't -return to your site). In this case, you can use a "wrapped" password hasher. +If you have an existing database with an older, weak hash such as MD5, you +might want to upgrade those hashes yourself instead of waiting for the upgrade +to happen when a user logs in (which may never happen if a user doesn't return +to your site). In this case, you can use a "wrapped" password hasher. -For this example, we'll migrate a collection of SHA1 hashes to use +For this example, we'll migrate a collection of MD5 hashes to use PBKDF2(SHA1(password)) and add the corresponding password hasher for checking if a user entered the correct password on login. We assume we're using the built-in ``User`` model and that our project has an ``accounts`` app. You can @@ -346,37 +346,37 @@ First, we'll add the custom hasher: :caption: ``accounts/hashers.py`` from django.contrib.auth.hashers import ( - PBKDF2PasswordHasher, SHA1PasswordHasher, + PBKDF2PasswordHasher, MD5PasswordHasher, ) - class PBKDF2WrappedSHA1PasswordHasher(PBKDF2PasswordHasher): - algorithm = 'pbkdf2_wrapped_sha1' + class PBKDF2WrappedMD5PasswordHasher(PBKDF2PasswordHasher): + algorithm = 'pbkdf2_wrapped_md5' - def encode_sha1_hash(self, sha1_hash, salt, iterations=None): - return super().encode(sha1_hash, salt, iterations) + def encode_md5_hash(self, md5_hash, salt, iterations=None): + return super().encode(md5_hash, salt, iterations) def encode(self, password, salt, iterations=None): - _, _, sha1_hash = SHA1PasswordHasher().encode(password, salt).split('$', 2) - return self.encode_sha1_hash(sha1_hash, salt, iterations) + _, _, md5_hash = MD5PasswordHasher().encode(password, salt).split('$', 2) + return self.encode_md5_hash(md5_hash, salt, iterations) The data migration might look something like: .. code-block:: python - :caption: ``accounts/migrations/0002_migrate_sha1_passwords.py`` + :caption: ``accounts/migrations/0002_migrate_md5_passwords.py`` from django.db import migrations - from ..hashers import PBKDF2WrappedSHA1PasswordHasher + from ..hashers import PBKDF2WrappedMD5PasswordHasher def forwards_func(apps, schema_editor): User = apps.get_model('auth', 'User') - users = User.objects.filter(password__startswith='sha1$') - hasher = PBKDF2WrappedSHA1PasswordHasher() + users = User.objects.filter(password__startswith='md5$') + hasher = PBKDF2WrappedMD5PasswordHasher() for user in users: - algorithm, salt, sha1_hash = user.password.split('$', 2) - user.password = hasher.encode_sha1_hash(sha1_hash, salt) + algorithm, salt, md5_hash = user.password.split('$', 2) + user.password = hasher.encode_md5_hash(md5_hash, salt) user.save(update_fields=['password']) @@ -402,12 +402,11 @@ Finally, we'll add a :setting:`PASSWORD_HASHERS` setting: PASSWORD_HASHERS = [ 'django.contrib.auth.hashers.PBKDF2PasswordHasher', - 'accounts.hashers.PBKDF2WrappedSHA1PasswordHasher', + 'accounts.hashers.PBKDF2WrappedMD5PasswordHasher', ] Include any other hashers that your site uses in this list. -.. _sha1: https://en.wikipedia.org/wiki/SHA1 .. _pbkdf2: https://en.wikipedia.org/wiki/PBKDF2 .. _nist: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-132.pdf .. _bcrypt: https://en.wikipedia.org/wiki/Bcrypt @@ -431,10 +430,7 @@ The full list of hashers included in Django is:: 'django.contrib.auth.hashers.BCryptSHA256PasswordHasher', 'django.contrib.auth.hashers.BCryptPasswordHasher', 'django.contrib.auth.hashers.ScryptPasswordHasher', - 'django.contrib.auth.hashers.SHA1PasswordHasher', 'django.contrib.auth.hashers.MD5PasswordHasher', - 'django.contrib.auth.hashers.UnsaltedSHA1PasswordHasher', - 'django.contrib.auth.hashers.UnsaltedMD5PasswordHasher', ] The corresponding algorithm names are: @@ -445,10 +441,7 @@ The corresponding algorithm names are: * ``bcrypt_sha256`` * ``bcrypt`` * ``scrypt`` -* ``sha1`` * ``md5`` -* ``unsalted_sha1`` -* ``unsalted_md5`` .. _write-your-own-password-hasher: |
