From 0e560edf32c001705dd43bdc68099d271c20c312 Mon Sep 17 00:00:00 2001 From: Mariusz Felisiak Date: Fri, 15 Sep 2023 10:54:10 +0200 Subject: [PATCH] Increased the default PBKDF2 iterations for Django 5.1. --- django/contrib/auth/hashers.py | 2 +- docs/releases/5.1.txt | 3 ++- tests/auth_tests/test_hashers.py | 8 ++++---- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/django/contrib/auth/hashers.py b/django/contrib/auth/hashers.py index 95b6e000bc..e23ae6243e 100644 --- a/django/contrib/auth/hashers.py +++ b/django/contrib/auth/hashers.py @@ -312,7 +312,7 @@ class PBKDF2PasswordHasher(BasePasswordHasher): """ algorithm = "pbkdf2_sha256" - iterations = 720000 + iterations = 870000 digest = hashlib.sha256 def encode(self, password, salt, iterations=None): diff --git a/docs/releases/5.1.txt b/docs/releases/5.1.txt index 77cb9fbfc7..37868efde1 100644 --- a/docs/releases/5.1.txt +++ b/docs/releases/5.1.txt @@ -42,7 +42,8 @@ Minor features :mod:`django.contrib.auth` ~~~~~~~~~~~~~~~~~~~~~~~~~~ -* ... +* The default iteration count for the PBKDF2 password hasher is increased from + 720,000 to 870,000. :mod:`django.contrib.contenttypes` ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/tests/auth_tests/test_hashers.py b/tests/auth_tests/test_hashers.py index 643f60ffc7..e0b640a998 100644 --- a/tests/auth_tests/test_hashers.py +++ b/tests/auth_tests/test_hashers.py @@ -83,7 +83,7 @@ class TestUtilsHashPass(SimpleTestCase): encoded = make_password("lètmein", "seasalt", "pbkdf2_sha256") self.assertEqual( encoded, - "pbkdf2_sha256$720000$seasalt$eDupbcisD1UuIiou3hMuMu8oe/XwnpDw45r6AA5iv0E=", + "pbkdf2_sha256$870000$seasalt$wJSpLMQRQz0Dhj/pFpbyjMj71B2gUYp6HJS5AU+32Ac=", ) self.assertTrue(is_password_usable(encoded)) self.assertTrue(check_password("lètmein", encoded)) @@ -275,8 +275,8 @@ class TestUtilsHashPass(SimpleTestCase): encoded = hasher.encode("lètmein", "seasalt2") self.assertEqual( encoded, - "pbkdf2_sha256$720000$" - "seasalt2$e8hbsPnTo9qWhT3xYfKWoRth0h0J3360yb/tipPhPtY=", + "pbkdf2_sha256$870000$" + "seasalt2$nxgnNHRsZWSmi4hRSKq2MRigfaRmjDhH1NH4g2sQRbU=", ) self.assertTrue(hasher.verify("lètmein", encoded)) @@ -284,7 +284,7 @@ class TestUtilsHashPass(SimpleTestCase): hasher = PBKDF2SHA1PasswordHasher() encoded = hasher.encode("lètmein", "seasalt2") self.assertEqual( - encoded, "pbkdf2_sha1$720000$seasalt2$2DDbzziqCtfldrRSNAaF8oA9OMw=" + encoded, "pbkdf2_sha1$870000$seasalt2$iFPKnrkYfxxyxaeIqxq+c3nJ/j4=" ) self.assertTrue(hasher.verify("lètmein", encoded))