1
0
mirror of https://github.com/django/django.git synced 2025-06-04 19:19:13 +00:00

[3.1.x] Added note about password updates on argon2 attributes change.

Backport of 804f2b70244d435c63f7f7c6312a829bc41b2ca4 from master
This commit is contained in:
Roy Zheng 2020-08-10 14:30:39 -07:00 committed by Mariusz Felisiak
parent a1ce98fa6f
commit 02572bfc59

View File

@ -224,8 +224,8 @@ However, Django can only upgrade passwords that use algorithms mentioned in
:setting:`PASSWORD_HASHERS`, so as you upgrade to new systems you should make
sure never to *remove* entries from this list. If you do, users using
unmentioned algorithms won't be able to upgrade. Hashed passwords will be
updated when increasing (or decreasing) the number of PBKDF2 iterations or
bcrypt rounds.
updated when increasing (or decreasing) the number of PBKDF2 iterations, bcrypt
rounds, or argon2 attributes.
Be aware that if all the passwords in your database aren't encoded in the
default hasher's algorithm, you may be vulnerable to a user enumeration timing