Last active
December 19, 2015 22:08
-
-
Save mtigas/6025054 to your computer and use it in GitHub Desktop.
Simple subclass of Django PBKDF2PasswordHasher (which uses pbkdf2+sha256) that ups `iterations` to 3x the Django default and adjusts digest to use SHA384 (to fit within the 128 char limit in DB).
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from django import VERSION | |
if (VERSION[0] == 1) and (VERSION[1] >= 4): | |
from django.contrib.auth.hashers import PBKDF2PasswordHasher | |
import hashlib | |
class PBKDF2SHA384PasswordHasher(PBKDF2PasswordHasher): | |
# don't use SHA512: growing the `iterations` too much will likely | |
# cause name:itr:hash to grow beyond the 128 character limit for | |
# the `password` field in DB | |
# | |
# At default 10,000 iterations, a SHA512 field is 122 characters long, | |
# this one is only 97 characters long, leaving us a big margin (extra | |
# iterations of factor of 10^30) to continue to grow our iterations size. | |
# | |
# Also: don't change iteration size here from now on. Built-in | |
# `PBKDF2PasswordHasher.iterations` will grow with each version of | |
# Django (staying 3x slower than Django's setting) meaning that | |
# passwords will stay at constant slowness vs available CPU power as | |
# long as we update Django. | |
algorithm = "pbkdf2_sha384" | |
digest = hashlib.sha384 | |
iterations = PBKDF2PasswordHasher.iterations * 3 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#… | |
# ===== PASSWORD_HASHERS ===== | |
# NEVER take anything out of this list. You can ADD to this list or REORDER | |
# this list, but NEVER TAKE ANYTHING OUT. | |
# Top item is the 'preferred' algorithm -- passwords of other algorithms | |
# will get converted to this on successful login or password reset. Other items | |
# allow Django to read other algorithms so that they can be upgraded. | |
# READ: https://docs.djangoproject.com/en/1.5/topics/auth/passwords/ | |
PASSWORD_HASHERS = ( | |
'cannonball.core.auth_crypto.PBKDF2SHA384PasswordHasher', | |
'django.contrib.auth.hashers.PBKDF2PasswordHasher', | |
'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher', | |
'django.contrib.auth.hashers.BCryptPasswordHasher', | |
'django.contrib.auth.hashers.SHA1PasswordHasher', # IF YOU NEED DB TO BE COMPATIBLE WITH DJANGO <1.4, PUT THIS FIRST | |
'django.contrib.auth.hashers.MD5PasswordHasher', | |
'django.contrib.auth.hashers.CryptPasswordHasher', | |
) | |
#… |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
inb4 "use bcrypt", "y u no bcrypt", etc:
there are some machines (developers running Windows, test boxes, ecommerce servers) where we could not install python-bcrypt, but needed to use the same authentication data or wanted use as close to the same configuration as possible for performance/bug testing.