Security advisory: Strengthening the password hashes in your database

Posted by Tim Graham on February 23, 2016

Are the password hashes in your database strong enough to prevent them from being cracked if your database is compromised?

Django 0.90 stored passwords as unsalted MD5. Django 0.91 added support for salted SHA1 with automatic upgrade of passwords when a user logs in. Django 1.4 added PBKDF2 as the default password hasher.

If you have an old Django project with MD5 or SHA1 (even salted) encoded passwords, be aware that these can be cracked fairly easily with today's hardware. Consider using a wrapped password hasher to strengthen the hashes in your database. Django 1.10 will remove the MD5 and SHA1 hashers from the default PASSWORD_HASHERS setting to force projects to acknowledge continued use of a weak hasher.

Back to Top