Changes between Version 12 and Version 13 of Ticket #34661, comment 8


Ignore:
Timestamp:
Jun 18, 2023, 7:00:27 PM (18 months ago)
Author:
Fatih Erikli

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #34661, comment 8

    v12 v13  
    11Here is an example hasher:
     2
    23{{{
    34# yourapp.hashers.py
     
    89        iterations = iterations or self.iterations
    910        hash = pbkdf2(password, salt + settings.PASSWORD_PEPPER, iterations, digest=self.digest)
    10         hash = base64.b64encode(hash).decode('ascii').strip()
    11         return "%s$%d$%s$%s" % (self.algorithm, iterations, salt, hash)
     11        return "%s$%d$%s$%s" % (self.algorithm, iterations, salt, hash.hex())
    1212}}}
     13
     14The hash is base64 encoded on default PBKD hasher. I converted the bytes to hex string. It looks like it has a value in the context of hashing, which may confuse the developers and leak to another security issue.
    1315
    1416In settings:
    1517
    1618{{{
    17 PASSWORD_PEPPER = b'4545randombytes342445'
     19PASSWORD_PEPPER = '4545randomstring342445'
    1820PASSWORD_HASHERS = [
    1921    "yourapp.hashers.PepperedPBKDF2PasswordHasher",
Back to Top