Security advisory: Strengthening the password hashes in your database

Posted by Tim Graham on February 23, 2016

Are the password hashes in your database strong enough to prevent them from being cracked if your database is compromised?

Django 0.90 stored passwords as unsalted MD5. Django 0.91 added support for salted SHA1 with automatic upgrade of passwords when a user logs in. Django 1.4 added PBKDF2 as the default password hasher.

If you have an old Django project with MD5 or SHA1 (even salted) encoded passwords, be aware that these can be cracked fairly easily with today's hardware. Consider using a wrapped password hasher to strengthen the hashes in your database. Django 1.10 will remove the MD5 and SHA1 hashers from the default PASSWORD_HASHERS setting to force projects to acknowledge continued use of a weak hasher.

News & Events

Security advisory: Strengthening the password hashes in your database

Additional Information

Support Django!

Upcoming Events

Archives

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

RSS Feeds

Django Links

Learn More

Get Involved

Get Help

Follow Us

Support Us