mirror of
				https://github.com/django/django.git
				synced 2025-10-25 06:36:07 +00:00 
			
		
		
		
	Merge pull request #1062 from dstufft/switch-bcrypt-recommendations
Recommend using the bcrypt library instead of py-bcrypt
This commit is contained in:
		| @@ -263,13 +263,13 @@ class BCryptSHA256PasswordHasher(BasePasswordHasher): | |||||||
|     Secure password hashing using the bcrypt algorithm (recommended) |     Secure password hashing using the bcrypt algorithm (recommended) | ||||||
|  |  | ||||||
|     This is considered by many to be the most secure algorithm but you |     This is considered by many to be the most secure algorithm but you | ||||||
|     must first install the py-bcrypt library.  Please be warned that |     must first install the bcrypt library.  Please be warned that | ||||||
|     this library depends on native C code and might cause portability |     this library depends on native C code and might cause portability | ||||||
|     issues. |     issues. | ||||||
|     """ |     """ | ||||||
|     algorithm = "bcrypt_sha256" |     algorithm = "bcrypt_sha256" | ||||||
|     digest = hashlib.sha256 |     digest = hashlib.sha256 | ||||||
|     library = ("py-bcrypt", "bcrypt") |     library = ("bcrypt", "bcrypt") | ||||||
|     rounds = 12 |     rounds = 12 | ||||||
|  |  | ||||||
|     def salt(self): |     def salt(self): | ||||||
| @@ -329,7 +329,7 @@ class BCryptPasswordHasher(BCryptSHA256PasswordHasher): | |||||||
|     Secure password hashing using the bcrypt algorithm |     Secure password hashing using the bcrypt algorithm | ||||||
|  |  | ||||||
|     This is considered by many to be the most secure algorithm but you |     This is considered by many to be the most secure algorithm but you | ||||||
|     must first install the py-bcrypt library.  Please be warned that |     must first install the bcrypt library.  Please be warned that | ||||||
|     this library depends on native C code and might cause portability |     this library depends on native C code and might cause portability | ||||||
|     issues. |     issues. | ||||||
|  |  | ||||||
|   | |||||||
| @@ -92,7 +92,7 @@ class TestUtilsHashPass(unittest.TestCase): | |||||||
|         self.assertFalse(check_password('lètmeiz', encoded)) |         self.assertFalse(check_password('lètmeiz', encoded)) | ||||||
|         self.assertEqual(identify_hasher(encoded).algorithm, "crypt") |         self.assertEqual(identify_hasher(encoded).algorithm, "crypt") | ||||||
|  |  | ||||||
|     @skipUnless(bcrypt, "py-bcrypt not installed") |     @skipUnless(bcrypt, "bcrypt not installed") | ||||||
|     def test_bcrypt_sha256(self): |     def test_bcrypt_sha256(self): | ||||||
|         encoded = make_password('lètmein', hasher='bcrypt_sha256') |         encoded = make_password('lètmein', hasher='bcrypt_sha256') | ||||||
|         self.assertTrue(is_password_usable(encoded)) |         self.assertTrue(is_password_usable(encoded)) | ||||||
| @@ -108,7 +108,7 @@ class TestUtilsHashPass(unittest.TestCase): | |||||||
|         self.assertTrue(check_password(password, encoded)) |         self.assertTrue(check_password(password, encoded)) | ||||||
|         self.assertFalse(check_password(password[:72], encoded)) |         self.assertFalse(check_password(password[:72], encoded)) | ||||||
|  |  | ||||||
|     @skipUnless(bcrypt, "py-bcrypt not installed") |     @skipUnless(bcrypt, "bcrypt not installed") | ||||||
|     def test_bcrypt(self): |     def test_bcrypt(self): | ||||||
|         encoded = make_password('lètmein', hasher='bcrypt') |         encoded = make_password('lètmein', hasher='bcrypt') | ||||||
|         self.assertTrue(is_password_usable(encoded)) |         self.assertTrue(is_password_usable(encoded)) | ||||||
|   | |||||||
| @@ -76,8 +76,8 @@ use it Django supports bcrypt with minimal effort. | |||||||
|  |  | ||||||
| To use Bcrypt as your default storage algorithm, do the following: | To use Bcrypt as your default storage algorithm, do the following: | ||||||
|  |  | ||||||
| 1. Install the `py-bcrypt`_ library (probably by running ``sudo pip install | 1. Install the `bcrypt library`_ (probably by running ``sudo pip install | ||||||
|    py-bcrypt``, or downloading the library and installing it with ``python |    bcrypt``, or downloading the library and installing it with ``python | ||||||
|    setup.py install``). |    setup.py install``). | ||||||
|  |  | ||||||
| 2. Modify :setting:`PASSWORD_HASHERS` to list ``BCryptSHA256PasswordHasher`` | 2. Modify :setting:`PASSWORD_HASHERS` to list ``BCryptSHA256PasswordHasher`` | ||||||
| @@ -185,7 +185,7 @@ mentioned algorithms won't be able to upgrade. | |||||||
| .. _pbkdf2: http://en.wikipedia.org/wiki/PBKDF2 | .. _pbkdf2: http://en.wikipedia.org/wiki/PBKDF2 | ||||||
| .. _nist: http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf | .. _nist: http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf | ||||||
| .. _bcrypt: http://en.wikipedia.org/wiki/Bcrypt | .. _bcrypt: http://en.wikipedia.org/wiki/Bcrypt | ||||||
| .. _py-bcrypt: http://pypi.python.org/pypi/py-bcrypt/ | .. _`bcrypt library`: https://pypi.python.org/pypi/bcrypt/ | ||||||
|  |  | ||||||
|  |  | ||||||
| Manually managing a user's password | Manually managing a user's password | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user