4👍
Django uses a different password hashing algorithm by default, namely PBKDF2 with SHA-256. The only way you could move the existing hashes over to Django would be to tell it to use a different hasher. A plain SHA-256-Hasher isn’t built-in, so you’d have to write your own.
However, I would consider not doing that and providing a migration path for your existing users, since PBKDF2-sha256 is considered more secure:
Store these hashes in an additional field on your user, and prompt them to change their password on their first login (then throw away the old hash and only save their password hashed the Django way). You could even do this transparently to your users (i.e. on first login, after checking the hash matches with the old hash from Flask, generate a new hash based on the same password (that you have at this point in time) and store it, then throw the old hash away.
1👍
flask and django use hashlib.pbkdf2_hmac to generate password hash. the difference is the format and encoding. so possible to translate the password hash from one format to another transparently. (I wonder why not uniform and decrease the friction)
def trans_hash(str):
"""from flask to django"""
[alg, _hash_alg, rest] = str.split(':')
[iteration, salt, hashed] = rest.split('$')
# in flask hex() formated, so decode using b16decode
# https://github.com/pallets/werkzeug/blob/main/src/werkzeug/security.py#L162
raw_hash = base64.b16decode(hashed.strip().encode('ascii').upper())
# in django, use b64encode, https://github.com/django/django/blob/ca9872905559026af82000e46cde6f7dedc897b6/django/contrib/auth/hashers.py#L276
hashed = base64.b64encode(raw_hash).decode('ascii').strip()
rest = '$'.join([iteration, salt, hashed] )
return f"{alg}_{_hash_alg}${rest}"
a password hash in flask:
pbkdf2:sha256:150000$zwBNBm5i$be85b2739ab81c94ea2596fe79c0f6e7d211561f5ea1525c5620e817ef3ea82b
will translate to (django)
pbkdf2_sha256$150000$zwBNBm5i$voWyc5q4HJTqJZb+ecD259IRVh9eoVJcViDoF+8+qCs=
- [Django]-Using different templates with django form wizard
- [Django]-Django startapp admin file missing
- [Django]-Django trying to upper(integer) in Postgres causing "no function matches the given name and argument types"
- [Django]-Django Admin validation