summaryrefslogtreecommitdiff
path: root/django/contrib/auth/hashers.py
AgeCommit message (Collapse)Author
2025-09-17Increased the default PBKDF2 iterations for Django 6.1.Jacob Walls
2025-08-27Fixed #36572 -- Revert "Fixed #36546 -- Deprecated ↵Sarah Boyce
django.utils.crypto.constant_time_compare() in favor of hmac.compare_digest()." This reverts commit 0246f478882c26bc1fe293224653074cd46a90d0.
2025-08-25Fixed #36546 -- Deprecated django.utils.crypto.constant_time_compare() in ↵SaJH
favor of hmac.compare_digest(). Signed-off-by: SaJH <wogur981208@gmail.com>
2025-07-31Fixed #36439 -- Optimized acheck_password by using sync_to_async on ↵Roel Delos Reyes
verify_password.
2025-07-23Removed double spaces after periods and within phrases.Sarah Boyce
2025-07-22Fixed #36226 -- Accepted str or bytes for password and salt in password hashers.Roel Delos Reyes
Co-authored-by: Screamadelica <1621456391@sjtu.edu.cn>
2025-01-15Increased the default PBKDF2 iterations for Django 6.0.Sarah Boyce
2024-07-09Fixed CVE-2024-39329 -- Standarized timing of verify_password() when ↵Michael Manfre
checking unusuable passwords. Refs #20760. Thanks Michael Manfre for the fix and to Adam Johnson for the review.
2024-05-22Increased the default PBKDF2 iterations for Django 5.2.Natalia
2024-05-17Fixed #35428 -- Increased parallelism of the ScryptPasswordHasher.SaJH
2023-09-18Increased the default PBKDF2 iterations for Django 5.1.Mariusz Felisiak
2023-09-18Refs #33691 -- Removed insecure password hashers per deprecation timeline.Mariusz Felisiak
2023-05-18Fixed #34565 -- Added support for async checking of user passwords.HappyDingning
2023-02-04Increased the default PBKDF2 iterations for Django 5.0.Mariusz Felisiak
Follow up to 9a1848f48c1f7f627a52b2063a8a8428e77765d6.
2023-01-18Refs #34233 -- Used str.removeprefix()/removesuffix().Mariusz Felisiak
2023-01-18Fixed #34233 -- Dropped support for Python 3.8 and 3.9.Mariusz Felisiak
2023-01-17Increased the default PBKDF2 iterations for Django 5.0.Mariusz Felisiak
2023-01-17Refs #33691 -- Removed django.contrib.auth.hashers.CryptPasswordHasher per ↵Mariusz Felisiak
deprecation timeline.
2022-07-23Refs #33691 -- Deprecated insecure password hashers.Claude Paroz
SHA1PasswordHasher, UnsaltedSHA1PasswordHasher, and UnsaltedMD5PasswordHasher are now deprecated.
2022-05-17Increased the default PBKDF2 iterations for Django 4.2.Carlton Gibson
2022-05-11Fixed #33691 -- Deprecated django.contrib.auth.hashers.CryptPasswordHasher.Mariusz Felisiak
2022-02-07Refs #33476 -- Reformatted code with Black.django-bot
2022-02-03Refs #33476 -- Refactored problematic code before reformatting by Black.Mariusz Felisiak
In these cases Black produces unexpected results, e.g. def make_random_password( self, length=10, allowed_chars='abcdefghjkmnpqrstuvwxyz' 'ABCDEFGHJKLMNPQRSTUVWXYZ' '23456789', ): or cursor.execute(""" SELECT ... """, [table name], )
2021-12-17Changed signatures of setting_changed signal receivers.Adam Johnson
2021-10-12Fixed #28401 -- Allowed hashlib.md5() calls to work with FIPS kernels.Ade Lee
md5 is not an approved algorithm in FIPS mode, and trying to instantiate a hashlib.md5() will fail when the system is running in FIPS mode. md5 is allowed when in a non-security context. There is a plan to add a keyword parameter (usedforsecurity) to hashlib.md5() to annotate whether or not the instance is being used in a security context. In the case where it is not, the instantiation of md5 will be allowed. See https://bugs.python.org/issue9216 for more details. Some downstream python versions already support this parameter. To support these versions, a new encapsulation of md5() has been added. This encapsulation will pass through the usedforsecurity parameter in the case where the parameter is supported, and strip it if it is not. Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2021-09-27Refs #32355 -- Used @functools.lru_cache as a straight decorator.Mariusz Felisiak
2021-09-20Increased the default PBKDF2 iterations for Django 4.1.Mariusz Felisiak
2021-09-06Refs #32508 -- Raised TypeError/ValueError instead of using "assert" in ↵Mateo Radman
encode() methods of remaining password hashers.
2021-07-22Fixed #32275 -- Added scrypt password hasher.ryowright
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2021-07-22Refs #32508 -- Raised TypeError/ValueError instead of using "assert" in ↵Mariusz Felisiak
encode() methods of some password hashers.
2021-01-14Increased the default PBKDF2 iterations for Django 4.0.Mariusz Felisiak
2021-01-14Fixed #31358 -- Increased salt entropy of password hashers.Jon Moroney
Co-authored-by: Florian Apolloner <florian@apolloner.eu>
2021-01-13Refs #31358 -- Added constant for get_random_string()'s default alphabet.Florian Apolloner
2020-12-28Refs #31358 -- Fixed decoding salt in Argon2PasswordHasher.Florian Apolloner
Argon2 encodes the salt as base64 for representation in the final hash output. To be able to accurately return the used salt from decode(), add padding, b64decode, and decode from latin1 (for the remote possibility that someone supplied a custom hash consisting solely of bytes -- this would require a manual construction of the hash though, Django's interface does not allow for that).
2020-12-28Refs #31358 -- Simplified Argon2PasswordHasher.must_update() by using decode().Florian Apolloner
2020-06-23Refs #31358 -- Added decode() to password hashers.Jon Moroney
By convention a hasher which does not use a salt should populate the decode dict with `None` rather than omit the dict key. Co-Authored-By: Florian Apolloner <apollo13@users.noreply.github.com>
2020-06-17Fixed #30472 -- Made Argon2PasswordHasher use Argon2id.Florian Apolloner
2020-06-17Refs #30472 -- Simplified Argon2PasswordHasher with argon2-cffi 19.1+ API.Florian Apolloner
2020-05-13Increased the default PBKDF2 iterations for Django 3.2.Mariusz Felisiak
2020-03-31Fixed #31375 -- Made contrib.auth.hashers.make_password() accept only bytes ↵Hasan Ramezani
or strings.
2020-03-11Fixed #31359 -- Deprecated get_random_string() calls without an explicit length.Claude Paroz
2019-09-12Increased the default PBKDF2 iterations for Django 3.1.Carlton Gibson
2019-02-06Fixed #30159 -- Removed unneeded use of OrderedDict.Nick Pope
Dicts preserve order since Python 3.6.
2019-01-17Increased the default PBKDF2 iterations for Django 3.0.Tim Graham
2018-05-17Increased the default PBKDF2 iterations for Django 2.2.Tim Graham
2018-05-13Increased the default PBKDF2 iterations for Django 2.1.Tim Graham
2018-03-22Fixed #28718 -- Allowed user to request a password reset if their password ↵Tim Graham
doesn't use an enabled hasher. Regression in aeb1389442d0f9669edf6660b747fd10693b63a7. Reverted changes to is_password_usable() from 703c266682be39f7153498ad0d8031231f12ee79 and documentation changes from 92f48680dbd2e02f2b33f6ad0e35b7d337889fb2.
2018-02-26Fixed #29141 -- Corrected BCryptPasswordHasher's docstring about truncation.Tim Graham
2018-02-01Refs #27795 -- Replaced force_text/bytes() with decode()/encode() in ↵Jon Dufresne
password hashers.
2018-01-03Fixed #28982 -- Simplified code with and/or.Дилян Палаузов