Electronics & Programming

develissimo

Open Source electronics development and programming

  • You are not logged in.
  • Root
  • » Django
  • » Backwards-incompatible change in development version: Password change [RSS Feed]

#1 Nov. 21, 2005 03:37:38

Adrian H.
Registered: 2009-11-02
Reputation: +  0  -
Profile   Send e-mail  

Backwards-incompatible change in development version: Password change


We've added extra security to the stored passwords in Django's
authentication system. Thanks to a patch from GomoX, passwords are now
stored with a salt and use SHA-1 encryption instead of MD5.

This change is backwards-incompatible, because two things have
changed: the name of the database field (changed from "password_md5"
to "password") and the length of the field (from 32 to 128). See the
backwards-incompatible changes page for information on how to change
your database. It's an easy update.http://code.djangoproject.com/wiki/BackwardsIncompatibleChangesOf course, the password data itself *is* backwards-compatible. If
Django finds a password in the old format (encrypted as MD5), it will
transparently change the password's encryption to the new format
(salted SHA-1) the first time user.check_password() is successfully
called.

See the new Passwords section of the authentication docs for full information:http://www.djangoproject.com/documentation/authentication/#passwordsFinally, note that this change applies only to the Django development
version. If you're using Django 0.90, you won't see this change until
the next release.

Adrian

--
Adrian Holovaty
holovaty.com | djangoproject.com | chicagocrime.org

Offline

#2 Nov. 21, 2005 12:03:12

A.
Registered: 2009-11-02
Reputation: +  0  -
Profile   Send e-mail  

Backwards-incompatible change in development version: Password change


On 21 Nov 2005, at 3:37, Adrian Holovaty wrote:We've added extra security to the stored passwords in Django's
authentication system. Thanks to a patch from GomoX, passwords are now
stored with a salt and use SHA-1 encryption instead of MD5.Can the admin encrypt passwords for you?Caveat newbie: Only been using Django for a short while, so missing alot of knowledge currently.________________________________
Afternoon, man about the Internet --http://aftnn.org/

Offline

#3 Nov. 21, 2005 14:32:17

Adrian H.
Registered: 2009-11-02
Reputation: +  0  -
Profile   Send e-mail  

Backwards-incompatible change in development version: Password change


On 11/21/05, Afternoon <> wrote:
> Can the admin encrypt passwords for you?

No, the admin interface for users currently doesn't encrypt passwords.
There's a longstanding ticket for this. Ideally there'd be a "Create
password" link that would create it on the server side via
XMLHttpRequest and populate the field.

Adrian

--
Adrian Holovaty
holovaty.com | djangoproject.com | chicagocrime.org

Offline

#4 Nov. 21, 2005 14:45:08

James B.
Registered: 2009-11-02
Reputation: +  0  -
Profile   Send e-mail  

Backwards-incompatible change in development version: Password change


On 11/21/05, Adrian Holovaty <> wrote:
> No, the admin interface for users currently doesn't encrypt passwords.
> There's a longstanding ticket for this. Ideally there'd be a "Create
> password" link that would create it on the server side via
> XMLHttpRequest and populate the field.

Is there a reason why the admin couldn't simply use a _pre_save method
to hash an incoming plaintext password?

--
"May the forces of evil become confused on the way to your house."
-- George Carlin

Offline

#5 Nov. 21, 2005 15:11:09

A.
Registered: 2009-11-02
Reputation: +  0  -
Profile   Send e-mail  

Backwards-incompatible change in development version: Password change


On 21 Nov 2005, at 14:44, James Bennett wrote:On 11/21/05, Adrian Holovaty <> wrote:No, the admin interface for users currently doesn't encryptpasswords.There's a longstanding ticket for this. Ideally there'd be a "Create
password" link that would create it on the server side via
XMLHttpRequest and populate the field.Is there a reason why the admin couldn't simply use a _pre_save method
to hash an incoming plaintext password?I don't know about the ticket, but this seems like a better solution.I was already thinking this having seen the posts in the last few days.________________________________
Afternoon, man about the Internet --http://aftnn.org/

Offline

#6 Nov. 21, 2005 15:26:44

Adrian H.
Registered: 2009-11-02
Reputation: +  0  -
Profile   Send e-mail  

Backwards-incompatible change in development version: Password change


On 11/21/05, James Bennett <> wrote:
> Is there a reason why the admin couldn't simply use a _pre_save method
> to hash an incoming plaintext password?

There'd be no way of knowing whether the incoming password were
plaintext vs. encrypted, because any character is allowed in a
password.

Adrian

--
Adrian Holovaty
holovaty.com | djangoproject.com | chicagocrime.org

Offline

#7 Nov. 21, 2005 15:33:59

James B.
Registered: 2009-11-02
Reputation: +  0  -
Profile   Send e-mail  

Backwards-incompatible change in development version: Password change


On 11/21/05, Adrian Holovaty <> wrote:
> There'd be no way of knowing whether the incoming password were
> plaintext vs. encrypted, because any character is allowed in a
> password.

I guess I could have phrased that better. Currently admin interface
directs the user to enter the hash, not the actual password; this
would be done away with, and the user would be directed to enter the
actual password, which would be hashed by the _pre_save.

Entering the hash directly would have to be disallowed, making for
another backwards-incompatible change, but I can't think of any reason
why it'd be useful to keep that ability.

--
"May the forces of evil become confused on the way to your house."
-- George Carlin

Offline

#8 Nov. 21, 2005 15:34:46

A.
Registered: 2009-11-02
Reputation: +  0  -
Profile   Send e-mail  

Backwards-incompatible change in development version: Password change


On 21 Nov 2005, at 15:26, Adrian Holovaty wrote:There'd be no way of knowing whether the incoming password were
plaintext vs. encrypted, because any character is allowed in a
password.I would assume it's always plaintext. I've never seen anything whereyou have to encrypt the password yourself first. Take out the messageand nobody would even think about it.________________________________
Afternoon, man about the Internet --http://aftnn.org/

Offline

#9 Nov. 21, 2005 15:40:05

Laurent R.
Registered: 2009-11-02
Reputation: +  0  -
Profile   Send e-mail  

Backwards-incompatible change in development version: Password change


Le Lundi 21 Novembre 2005 16:34, Afternoon a écrit :
> On 21 Nov 2005, at 15:26, Adrian Holovaty wrote:
> > There'd be no way of knowing whether the incoming password were
> > plaintext vs. encrypted, because any character is allowed in a
> > password.
>
> I would assume it's always plaintext. I've never seen anything where
> you have to encrypt the password yourself first. Take out the message
> and nobody would even think about it.
>

+1. I also never saw a soft where the end user had to know about SHA or MD5
encryption (which are rather complicated even if you are a devlopper).

Offline

#10 Nov. 21, 2005 15:41:55

Adrian H.
Registered: 2009-11-02
Reputation: +  0  -
Profile   Send e-mail  

Backwards-incompatible change in development version: Password change


On 11/21/05, Afternoon <> wrote:
> > There'd be no way of knowing whether the incoming password were
> > plaintext vs. encrypted, because any character is allowed in a
> > password.
>
> I would assume it's always plaintext. I've never seen anything where
> you have to encrypt the password yourself first. Take out the message
> and nobody would even think about it.

If we assume it's always plaintext, that would mean you'd have to
enter the password for an individual user each time you changed that
user.

Adrian

--
Adrian Holovaty
holovaty.com | djangoproject.com | chicagocrime.org

Offline

  • Root
  • » Django
  • » Backwards-incompatible change in development version: Password change [RSS Feed]

Board footer

Moderator control

Enjoy the 23rd of April
PoweredBy

The Forums are managed by develissimo stuff members, if you find any issues or misplaced content please help us to fix it. Thank you! Tell us via Contact Options
Leave a Message
Welcome to Develissimo Live Support