From 804f2b70244d435c63f7f7c6312a829bc41b2ca4 Mon Sep 17 00:00:00 2001 From: Roy Zheng Date: Mon, 10 Aug 2020 14:30:39 -0700 Subject: [PATCH] Added note about password updates on argon2 attributes change. --- docs/topics/auth/passwords.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/topics/auth/passwords.txt b/docs/topics/auth/passwords.txt index cc8ca55501..00381ecdeb 100644 --- a/docs/topics/auth/passwords.txt +++ b/docs/topics/auth/passwords.txt @@ -224,8 +224,8 @@ However, Django can only upgrade passwords that use algorithms mentioned in :setting:`PASSWORD_HASHERS`, so as you upgrade to new systems you should make sure never to *remove* entries from this list. If you do, users using unmentioned algorithms won't be able to upgrade. Hashed passwords will be -updated when increasing (or decreasing) the number of PBKDF2 iterations or -bcrypt rounds. +updated when increasing (or decreasing) the number of PBKDF2 iterations, bcrypt +rounds, or argon2 attributes. Be aware that if all the passwords in your database aren't encoded in the default hasher's algorithm, you may be vulnerable to a user enumeration timing