Opened 5 years ago

Last modified 4 years ago

#31358 closed Cleanup/optimization

Increase default password salt size — at Version 1

Reported by: Jon Moroney Owned by: nobody
Component: contrib.auth Version: dev
Severity: Normal Keywords:
Cc: Florian Apolloner Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Jon Moroney)

I've made a patch for this here
https://github.com/django/django/pull/12553
Which changes the default salt size from ~71 bits to ~131 bits

The rational is that modern guidance suggests a 128 bit minimum on salt sizes
OWASP: https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Password_Storage_Cheat_Sheet.md#salting
Python: https://docs.python.org/3/library/hashlib.html#hashlib.pbkdf2_hmac
NIST: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-132.pdf

In the case of NIST this is technically a hard requirement.

Change History (1)

comment:1 by Jon Moroney, 5 years ago

Description: modified (diff)
Note: See TracTickets for help on using tickets.
Back to Top