Weblog

Extra security for passwords

We've added extra security to the stored passwords in Django's authentication system. Thanks to a patch from GomoX, passwords are now stored with a salt and use SHA-1 encryption instead of MD5.

This change is backwards-incompatible, because two things have changed: the name of the database field (changed from "password_md5" to "password") and the length of the field (from 32 to 128). See the backwards-incompatible changes page for information on how to change your database. It's an easy update.

Of course, the password data itself is backwards-compatible. If Django finds a password in the old format (encrypted as MD5), it will transparently change the password's encryption to the new format (salted SHA-1) the first time user.check_password() is successfully called.

See the new Passwords section of the authentication docs for full information.

Finally, note that this change applies only to the Django development version. If you're using Django 0.90, you won't see this change until the next release.

Posted by Adrian Holovaty on November 20, 2005