Extra security for passwords

Posted by Adrian Holovaty on November 20, 2005

We've added extra security to the stored passwords in Django's authentication system. Thanks to a patch from GomoX, passwords are now stored with a salt and use SHA-1 encryption instead of MD5.

This change is backwards-incompatible, because two things have changed: the name of the database field (changed from "password_md5" to "password") and the length of the field (from 32 to 128). See the backwards-incompatible changes page for information on how to change your database. It's an easy update.

Of course, the password data itself is backwards-compatible. If Django finds a password in the old format (encrypted as MD5), it will transparently change the password's encryption to the new format (salted SHA-1) the first time user.check_password() is successfully called.

See the new Passwords section of the authentication docs for full information.

Finally, note that this change applies only to the Django development version. If you're using Django 0.90, you won't see this change until the next release.

News & Events

Extra security for passwords

Additional Information

Support Django!

Upcoming Events

Archives

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

RSS Feeds

Django Links

Learn More

Get Involved

Get Help

Follow Us

Support Us