Fixed #29161 -- Removed BCryptPasswordHasher from PASSWORD_HASHERS.

1 files changed, 0 insertions, 29 deletions

diff --git a/docs/topics/auth/passwords.txt b/docs/topics/auth/passwords.txt
index 6ae7f3d58e..4dc6748075 100644
--- a/docs/topics/auth/passwords.txt
+++ b/docs/topics/auth/passwords.txt
@@ -62,7 +62,6 @@ The default for :setting:`PASSWORD_HASHERS` is::
         'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
         'django.contrib.auth.hashers.Argon2PasswordHasher',
         'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
-        'django.contrib.auth.hashers.BCryptPasswordHasher',
     ]
 
 This means that Django will use PBKDF2_ to store all passwords but will support
@@ -99,7 +98,6 @@ To use Argon2 as your default storage algorithm, do the following:
             'django.contrib.auth.hashers.PBKDF2PasswordHasher',
             'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
             'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
-            'django.contrib.auth.hashers.BCryptPasswordHasher',
         ]
 
    Keep and/or add any entries in this list if you need Django to :ref:`upgrade
@@ -126,7 +124,6 @@ To use Bcrypt as your default storage algorithm, do the following:
 
         PASSWORD_HASHERS = [
             'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
-            'django.contrib.auth.hashers.BCryptPasswordHasher',
             'django.contrib.auth.hashers.PBKDF2PasswordHasher',
             'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
             'django.contrib.auth.hashers.Argon2PasswordHasher',
@@ -138,31 +135,6 @@ To use Bcrypt as your default storage algorithm, do the following:
 That's it -- now your Django install will use Bcrypt as the default storage
 algorithm.
 
-.. admonition:: Password truncation with BCryptPasswordHasher
-
-    The designers of bcrypt truncate all passwords at 72 characters which means
-    that ``bcrypt(password_with_100_chars) == bcrypt(password_with_100_chars[:72])``.
-    The original ``BCryptPasswordHasher`` does not have any special handling and
-    thus is also subject to this hidden password length limit.
-    ``BCryptSHA256PasswordHasher`` fixes this by first hashing the
-    password using sha256. This prevents the password truncation and so should
-    be preferred over the ``BCryptPasswordHasher``. The practical ramification
-    of this truncation is pretty marginal as the average user does not have a
-    password greater than 72 characters in length and even being truncated at 72
-    the compute powered required to brute force bcrypt in any useful amount of
-    time is still astronomical. Nonetheless, we recommend you use
-    ``BCryptSHA256PasswordHasher`` anyway on the principle of "better safe than
-    sorry".
-
-.. admonition:: Other bcrypt implementations
-
-   There are several other implementations that allow bcrypt to be
-   used with Django. Django's bcrypt support is NOT directly
-   compatible with these. To upgrade, you will need to modify the
-   hashes in your database to be in the form ``bcrypt$(raw bcrypt
-   output)``. For example:
-   ``bcrypt$$2a$12$NT0I31Sa7ihGEWpka9ASYrEFkhuTNeBQ2xfZskIiiJeyFXhRgS.Sy``.
-
 .. _increasing-password-algorithm-work-factor:
 
 Increasing the work factor
@@ -202,7 +174,6 @@ default PBKDF2 algorithm:
             'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
             'django.contrib.auth.hashers.Argon2PasswordHasher',
             'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
-            'django.contrib.auth.hashers.BCryptPasswordHasher',
         ]
 
 That's it -- now your Django install will use more iterations when it