Opened 4 years ago

Closed 3 years ago

Last modified 14 months ago

#32275 closed New feature (fixed)

Add scrypt password hasher

Reported by: Alex Gaynor Owned by: Anthony Wright
Component: contrib.auth Version: dev
Severity: Normal Keywords:
Cc: Anthony Wright Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Currently django defaults to PBKDF2, with options (using third party libraries) for bcrypt and argon2 (and then a large number of legacy options that should be avoided).

When PBKDF2 was originally chosen as the default, it was selected because it was the most secure option that could reasonably be implemented in pure Python with the stdlib.

As of Python 3.6, scrypt is available in the stdlib. scrypt is also substantially more secure than PBKDF2, because it is memory hard. See https://www.tarsnap.com/scrypt/scrypt.pdf (page 14) for a table that assess the relative cost-to-brute-force of scrypt vs. PBKDF2 at the interactive latency.

For these reasons, I think it'd be appropriate for Django to include an scrypt based hasher, and even to default to it for new installations.

Change History (12)

comment:1 by Alex Gaynor, 4 years ago

I should note, that while I can't make any commitments on behalf of a 3rd party, I think there's a reasonable chance this would qualify for a reward under Google's Patch Rewards program: https://www.google.com/about/appsecurity/patch-rewards/ (I have no affiliation with Google)

Link to the scrypt docs: https://docs.python.org/3/library/hashlib.html#hashlib.scrypt

comment:2 by Mariusz Felisiak, 4 years ago

Summary: Offer an scrypt based password hasherAdd scrypt password hasher
Triage Stage: UnreviewedAccepted

comment:3 by Anthony Wright, 4 years ago

Cc: Anthony Wright added
Owner: changed from nobody to Anthony Wright
Status: newassigned

comment:4 by Anthony Wright, 4 years ago

Wrote scrypt function in crypto.py which uses the hashlib.scrypt function. Wrote ScryptPasswordHasher class in Hashers.py and added it as an option in global_settings. Currently working on tests.

comment:7 by Anthony Wright, 4 years ago

Has patch: set
Last edited 4 years ago by Tim Graham (previous) (diff)

comment:8 by Tim Graham, 4 years ago

Patch needs improvement: set

comment:9 by Mariusz Felisiak, 3 years ago

Needs documentation: set
Patch needs improvement: unset

comment:10 by Mariusz Felisiak, 3 years ago

Needs documentation: unset
Triage Stage: AcceptedReady for checkin

comment:11 by Mariusz Felisiak <felisiak.mariusz@…>, 3 years ago

Resolution: fixed
Status: assignedclosed

In 1783b3c:

Fixed #32275 -- Added scrypt password hasher.

Co-authored-by: Mariusz Felisiak <felisiak.mariusz@…>

comment:12 by GitHub <noreply@…>, 14 months ago

In 90c75dc4:

Refs #32275 -- Added scrypt password hasher to PASSWORD_HASHERS setting docs.

comment:13 by Mariusz Felisiak <felisiak.mariusz@…>, 14 months ago

In d5b093a2:

[5.0.x] Refs #32275 -- Added scrypt password hasher to PASSWORD_HASHERS setting docs.

Backport of 90c75dc4f37bee19b7c3790519d187e38e293800 from main

comment:14 by Mariusz Felisiak <felisiak.mariusz@…>, 14 months ago

In 99dcba9:

[4.2.x] Refs #32275 -- Added scrypt password hasher to PASSWORD_HASHERS setting docs.

Backport of 90c75dc4f37bee19b7c3790519d187e38e293800 from main

Note: See TracTickets for help on using tickets.
Back to Top