[Django]-Django Override password encryption

by

4👍

In Django, the way user is authenticated is not done in the User model itself. Django uses other modules to do just that. In your case you can create your custom module for checking the password and add it in your settings.py (docs).

One cool thing about Django is that you can supply multiple of these hashers to do that auth. Lets say your current hash method is not as secure as some of the methods Django uses. Then if you add your custom hasher to the bottom of PASSWORD_HASHERS, the following can happen. If the user’s password who is trying to login is stored using your custom method, then Django will try the first hasher and it will fail. Then it will try the rest of the hashes and they all will fail except your custom hasher. However since the user is successfully authenticated and since the successful hasher is not the first hasher then Django will automatically rehash the password using the first defined hasher. This way you can gracefully upgrade to a more secure hash algorithm for the passwords as users keep logging in.

Also if you are migrating your current database and the users table does not match the Django user model, keep in mind that starting with Django 1.5, you can define your custom User model instead of Django’s.

👤miki725

1👍

Reconsider your decision about keeping your old password hashes.

EXCEPT if you already used some very modern and strong scheme for them (like pbkdf2, bcrypt. shaXXX_crypt) – and NOT just some (salted or not) sha1-hash.

I know it is tempting to just stay compatible and support the old crap, but these old (salted or unsalted, doesn’t matter much for brute-forcing) sha1-hashes can be broken nowadays at a rate of > 1*10^9 guesses per second.

also, old password minimum length requirements might need a reconsideration due to same reasons.

the default django password hash scheme is a very secure one, btw, you should really use it.

👤Thomas Waldmann

Leave a comment