Closed Bug 1257257 Opened 10 years ago Closed 10 years ago

Make password hashers configurable, and default to bcrypt

Tracking

(Not tracked)

Status:

RESOLVED FIXED

People

(Reporter: mythmon, Assigned: mythmon)

Details

Michael Cooper [:mythmon]

Assignee

Description

•

10 years ago

The default Django password hasher is PBKDF2PasswordHasher, which is pretty good, but have some known issues. A better option is BCryptSHA256PasswordHasher. It is not the Django default because it requires an extra library. This bug covers making the default hasher include bcrypt as the default option (it will have to still include PBKDF2 so old passwords work). It also covers making this something we can configure with environment variables, in case we want to upgrade this in the future.

Michael Cooper [:mythmon]

Assignee

Comment 1

•

10 years ago

Docs: https://docs.djangoproject.com/en/1.9/topics/auth/passwords/#using-bcrypt-with-django

Assignee: nobody → mcooper

Status: NEW → ASSIGNED

[github robot]

Comment 2

•

10 years ago

Commit pushed to master at https://github.com/mozilla/normandy https://github.com/mozilla/normandy/commit/945b038c8b0e862d0426b641a9b623b33d495594 Switch to bcrypt password hashing Fixes bug 1257257.

[github robot]

Updated

•

10 years ago

Status: ASSIGNED → RESOLVED

Closed: 10 years ago

Resolution: --- → FIXED

Nobody; OK to take it and work on it

Updated

•

10 years ago

Component: SHIELD → General

Product: Websites → Normandy

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Make password hashers configurable, and default to bcrypt

Categories

(Shield :: General, defect)

Tracking

(Not tracked)

People

(Reporter: mythmon, Assigned: mythmon)

References

Details

Crash Data

Security

(public)

User Story

Description

Comment 1

Comment 2

Updated

Updated