Changes between Version 12 and Version 13 of Ticket #34661, comment 8
- Timestamp:
- Jun 18, 2023, 7:00:27 PM (15 months ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #34661, comment 8
v12 v13 1 1 Here is an example hasher: 2 2 3 {{{ 3 4 # yourapp.hashers.py … … 8 9 iterations = iterations or self.iterations 9 10 hash = pbkdf2(password, salt + settings.PASSWORD_PEPPER, iterations, digest=self.digest) 10 hash = base64.b64encode(hash).decode('ascii').strip() 11 return "%s$%d$%s$%s" % (self.algorithm, iterations, salt, hash) 11 return "%s$%d$%s$%s" % (self.algorithm, iterations, salt, hash.hex()) 12 12 }}} 13 14 The hash is base64 encoded on default PBKD hasher. I converted the bytes to hex string. It looks like it has a value in the context of hashing, which may confuse the developers and leak to another security issue. 13 15 14 16 In settings: 15 17 16 18 {{{ 17 PASSWORD_PEPPER = b'4545randombytes342445'19 PASSWORD_PEPPER = '4545randomstring342445' 18 20 PASSWORD_HASHERS = [ 19 21 "yourapp.hashers.PepperedPBKDF2PasswordHasher",