| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2025-09-17 | Increased the default PBKDF2 iterations for Django 6.1. | Jacob Walls | |
| 2025-08-27 | Fixed #36572 -- Revert "Fixed #36546 -- Deprecated ↵ | Sarah Boyce | |
| django.utils.crypto.constant_time_compare() in favor of hmac.compare_digest()." This reverts commit 0246f478882c26bc1fe293224653074cd46a90d0. | |||
| 2025-08-25 | Fixed #36546 -- Deprecated django.utils.crypto.constant_time_compare() in ↵ | SaJH | |
| favor of hmac.compare_digest(). Signed-off-by: SaJH <wogur981208@gmail.com> | |||
| 2025-07-31 | Fixed #36439 -- Optimized acheck_password by using sync_to_async on ↵ | Roel Delos Reyes | |
| verify_password. | |||
| 2025-07-23 | Removed double spaces after periods and within phrases. | Sarah Boyce | |
| 2025-07-22 | Fixed #36226 -- Accepted str or bytes for password and salt in password hashers. | Roel Delos Reyes | |
| Co-authored-by: Screamadelica <1621456391@sjtu.edu.cn> | |||
| 2025-01-15 | Increased the default PBKDF2 iterations for Django 6.0. | Sarah Boyce | |
| 2024-07-09 | Fixed CVE-2024-39329 -- Standarized timing of verify_password() when ↵ | Michael Manfre | |
| checking unusuable passwords. Refs #20760. Thanks Michael Manfre for the fix and to Adam Johnson for the review. | |||
| 2024-05-22 | Increased the default PBKDF2 iterations for Django 5.2. | Natalia | |
| 2024-05-17 | Fixed #35428 -- Increased parallelism of the ScryptPasswordHasher. | SaJH | |
| 2023-09-18 | Increased the default PBKDF2 iterations for Django 5.1. | Mariusz Felisiak | |
| 2023-09-18 | Refs #33691 -- Removed insecure password hashers per deprecation timeline. | Mariusz Felisiak | |
| 2023-05-18 | Fixed #34565 -- Added support for async checking of user passwords. | HappyDingning | |
| 2023-02-04 | Increased the default PBKDF2 iterations for Django 5.0. | Mariusz Felisiak | |
| Follow up to 9a1848f48c1f7f627a52b2063a8a8428e77765d6. | |||
| 2023-01-18 | Refs #34233 -- Used str.removeprefix()/removesuffix(). | Mariusz Felisiak | |
| 2023-01-18 | Fixed #34233 -- Dropped support for Python 3.8 and 3.9. | Mariusz Felisiak | |
| 2023-01-17 | Increased the default PBKDF2 iterations for Django 5.0. | Mariusz Felisiak | |
| 2023-01-17 | Refs #33691 -- Removed django.contrib.auth.hashers.CryptPasswordHasher per ↵ | Mariusz Felisiak | |
| deprecation timeline. | |||
| 2022-07-23 | Refs #33691 -- Deprecated insecure password hashers. | Claude Paroz | |
| SHA1PasswordHasher, UnsaltedSHA1PasswordHasher, and UnsaltedMD5PasswordHasher are now deprecated. | |||
| 2022-05-17 | Increased the default PBKDF2 iterations for Django 4.2. | Carlton Gibson | |
| 2022-05-11 | Fixed #33691 -- Deprecated django.contrib.auth.hashers.CryptPasswordHasher. | Mariusz Felisiak | |
| 2022-02-07 | Refs #33476 -- Reformatted code with Black. | django-bot | |
| 2022-02-03 | Refs #33476 -- Refactored problematic code before reformatting by Black. | Mariusz Felisiak | |
| In these cases Black produces unexpected results, e.g. def make_random_password( self, length=10, allowed_chars='abcdefghjkmnpqrstuvwxyz' 'ABCDEFGHJKLMNPQRSTUVWXYZ' '23456789', ): or cursor.execute(""" SELECT ... """, [table name], ) | |||
| 2021-12-17 | Changed signatures of setting_changed signal receivers. | Adam Johnson | |
| 2021-10-12 | Fixed #28401 -- Allowed hashlib.md5() calls to work with FIPS kernels. | Ade Lee | |
| md5 is not an approved algorithm in FIPS mode, and trying to instantiate a hashlib.md5() will fail when the system is running in FIPS mode. md5 is allowed when in a non-security context. There is a plan to add a keyword parameter (usedforsecurity) to hashlib.md5() to annotate whether or not the instance is being used in a security context. In the case where it is not, the instantiation of md5 will be allowed. See https://bugs.python.org/issue9216 for more details. Some downstream python versions already support this parameter. To support these versions, a new encapsulation of md5() has been added. This encapsulation will pass through the usedforsecurity parameter in the case where the parameter is supported, and strip it if it is not. Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com> | |||
| 2021-09-27 | Refs #32355 -- Used @functools.lru_cache as a straight decorator. | Mariusz Felisiak | |
| 2021-09-20 | Increased the default PBKDF2 iterations for Django 4.1. | Mariusz Felisiak | |
| 2021-09-06 | Refs #32508 -- Raised TypeError/ValueError instead of using "assert" in ↵ | Mateo Radman | |
| encode() methods of remaining password hashers. | |||
| 2021-07-22 | Fixed #32275 -- Added scrypt password hasher. | ryowright | |
| Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com> | |||
| 2021-07-22 | Refs #32508 -- Raised TypeError/ValueError instead of using "assert" in ↵ | Mariusz Felisiak | |
| encode() methods of some password hashers. | |||
| 2021-01-14 | Increased the default PBKDF2 iterations for Django 4.0. | Mariusz Felisiak | |
| 2021-01-14 | Fixed #31358 -- Increased salt entropy of password hashers. | Jon Moroney | |
| Co-authored-by: Florian Apolloner <florian@apolloner.eu> | |||
| 2021-01-13 | Refs #31358 -- Added constant for get_random_string()'s default alphabet. | Florian Apolloner | |
| 2020-12-28 | Refs #31358 -- Fixed decoding salt in Argon2PasswordHasher. | Florian Apolloner | |
| Argon2 encodes the salt as base64 for representation in the final hash output. To be able to accurately return the used salt from decode(), add padding, b64decode, and decode from latin1 (for the remote possibility that someone supplied a custom hash consisting solely of bytes -- this would require a manual construction of the hash though, Django's interface does not allow for that). | |||
| 2020-12-28 | Refs #31358 -- Simplified Argon2PasswordHasher.must_update() by using decode(). | Florian Apolloner | |
| 2020-06-23 | Refs #31358 -- Added decode() to password hashers. | Jon Moroney | |
| By convention a hasher which does not use a salt should populate the decode dict with `None` rather than omit the dict key. Co-Authored-By: Florian Apolloner <apollo13@users.noreply.github.com> | |||
| 2020-06-17 | Fixed #30472 -- Made Argon2PasswordHasher use Argon2id. | Florian Apolloner | |
| 2020-06-17 | Refs #30472 -- Simplified Argon2PasswordHasher with argon2-cffi 19.1+ API. | Florian Apolloner | |
| 2020-05-13 | Increased the default PBKDF2 iterations for Django 3.2. | Mariusz Felisiak | |
| 2020-03-31 | Fixed #31375 -- Made contrib.auth.hashers.make_password() accept only bytes ↵ | Hasan Ramezani | |
| or strings. | |||
| 2020-03-11 | Fixed #31359 -- Deprecated get_random_string() calls without an explicit length. | Claude Paroz | |
| 2019-09-12 | Increased the default PBKDF2 iterations for Django 3.1. | Carlton Gibson | |
| 2019-02-06 | Fixed #30159 -- Removed unneeded use of OrderedDict. | Nick Pope | |
| Dicts preserve order since Python 3.6. | |||
| 2019-01-17 | Increased the default PBKDF2 iterations for Django 3.0. | Tim Graham | |
| 2018-05-17 | Increased the default PBKDF2 iterations for Django 2.2. | Tim Graham | |
| 2018-05-13 | Increased the default PBKDF2 iterations for Django 2.1. | Tim Graham | |
| 2018-03-22 | Fixed #28718 -- Allowed user to request a password reset if their password ↵ | Tim Graham | |
| doesn't use an enabled hasher. Regression in aeb1389442d0f9669edf6660b747fd10693b63a7. Reverted changes to is_password_usable() from 703c266682be39f7153498ad0d8031231f12ee79 and documentation changes from 92f48680dbd2e02f2b33f6ad0e35b7d337889fb2. | |||
| 2018-02-26 | Fixed #29141 -- Corrected BCryptPasswordHasher's docstring about truncation. | Tim Graham | |
| 2018-02-01 | Refs #27795 -- Replaced force_text/bytes() with decode()/encode() in ↵ | Jon Dufresne | |
| password hashers. | |||
| 2018-01-03 | Fixed #28982 -- Simplified code with and/or. | Дилян Палаузов | |
