#33793 closed New feature (wontfix)
Check for PASSWORD_HASHERS
| Reported by: | Francisco Couzo | Owned by: | nobody |
|---|---|---|---|
| Component: | Core (System checks) | Version: | |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
I think it would be a good idea for the check command to check that PASSWORD_HASHERS[0] is not any of the insecure password hashers such as MD5PasswordHasher or SHA1PasswordHasher.
I can take care of implementing this if there's interest on this feature.
Note:
See TracTickets
for help on using tickets.
Django keeps "weak" password hashers for support with legacy systems and speeding up the tests. Moreover they are not enabled by default, so you must add them explicitly to the
PASSWORD_HASHERS. Folks that do this should be aware of their weakness. IMO there is not need for a new system check.You can start a discussion on DevelopersMailingList if you don't agree.