Password

PASSWORD_HASHERS

  • [email protected]

  • Default

    In [3]: from django.conf import settings
    
    In [4]: settings.PASSWORD_HASHERS
    Out[4]:
    ['django.contrib.auth.hashers.PBKDF2PasswordHasher',
     'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
     'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',   
     'django.contrib.auth.hashers.BCryptPasswordHasher',
     'django.contrib.auth.hashers.SHA1PasswordHasher',
     'django.contrib.auth.hashers.MD5PasswordHasher',
     'django.contrib.auth.hashers.UnsaltedSHA1PasswordHasher',
     'django.contrib.auth.hashers.UnsaltedMD5PasswordHasher',
     'django.contrib.auth.hashers.CryptPasswordHasher']
    
  • Support

    PASSWORD_HASHERS = [
      'django.contrib.auth.hashers.PBKDF2PasswordHasher',
      'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
      'django.contrib.auth.hashers.Argon2PasswordHasher',
      'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
      'django.contrib.auth.hashers.BCryptPasswordHasher',
      'django.contrib.auth.hashers.SHA1PasswordHasher',
      'django.contrib.auth.hashers.MD5PasswordHasher',
      'django.contrib.auth.hashers.UnsaltedSHA1PasswordHasher',
      'django.contrib.auth.hashers.UnsaltedMD5PasswordHasher',
      'django.contrib.auth.hashers.CryptPasswordHasher',
    ]
    
  • default: PBKDF2PasswordHasher

functions

from django.contrib.auth.hashers import make_password, check_password
  • make_password

    make_password(password, salt=None, hasher='default')
    
    • Example

      In [45]: make_password('tt4it')
      Out[45]: u'pbkdf2_sha256$12000$cyP69ZOroWb5$bbDgwYwNdHyZ/qT5EKv/ozbKIVtoeuHTnZtagLPRV+E='
      
      In [46]: make_password('tt4it', None, 'pbkdf2_sha256')
      Out[46]: u'pbkdf2_sha256$12000$imk3IJOm6SjH$iZJVZEcM7lKYH+3qQ+WqEgoVElbgYzueiNKHYe+Dzsw='
      
      In [47]: make_password('tt4it', 'qwertyuiop', 'pbkdf2_sha256')
      Out[47]: u'pbkdf2_sha256$12000$qwertyuiop$It5NyYM5F0/me0q9wgcGwsy6efzyR7/OQHBQ7DNcP3Q='
      
    • hasher

      The corresponding algorithm names are:
      
      pbkdf2_sha256
      pbkdf2_sha1
      argon2
      bcrypt_sha256
      bcrypt
      sha1
      md5
      unsalted_sha1
      unsalted_md5
      crypt
      
    • encoded = algorithm + iterations + salt + hash

      algorithm, iterations, salt, hash = encoded.split('$', 3)
      
  • check_password

    check_password(password, encoded)
    
    • Example

      In [50]: check_password('tt4it', u'pbkdf2_sha256$12000$qwertyuiop$It5NyYM5F0/me0q9wgcGwsy6efzyR7/OQHBQ7DNcP3Q=')
      Out[50]: True
      

salt

algorithm, iterations, salt, hash = encoded.split('$', 3)

constant_time_compare

if hasattr(hmac, "compare_digest"):
    # Prefer the stdlib implementation, when available.
    def constant_time_compare(val1, val2):
        return hmac.compare_digest(force_bytes(val1), force_bytes(val2))
else:
    def constant_time_compare(val1, val2):
        """
        Returns True if the two strings are equal, False otherwise.
        The time taken is independent of the number of characters that match.
        For the sake of simplicity, this function executes in constant time only
        when the two strings have the same length. It short-circuits when they
        have different lengths. Since Django only uses it to compare hashes of
        known expected length, this is acceptable.
        """
        if len(val1) != len(val2):
            return False
        result = 0
        if six.PY3 and isinstance(val1, bytes) and isinstance(val2, bytes):
            for x, y in zip(val1, val2):
                result |= x ^ y
        else:
            for x, y in zip(val1, val2):
                result |= ord(x) ^ ord(y)
        return result == 0

References

[1] [email protected], Password management in Django

results matching ""

    No results matching ""