Django/django
11
0
Fork 0
Code Pull Requests Projects Releases Activity

Added note about password updates on argon2 attributes change.

Browse Source
This commit is contained in:
Roy Zheng 2020-08-10 14:30:39 -07:00 committed by Mariusz Felisiak
parent ebd78a9f97
commit 804f2b7024
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/topics/auth/passwords.txt
View File

@ -224,8 +224,8 @@ However, Django can only upgrade passwords that use algorithms mentioned in
:setting:`PASSWORD_HASHERS`, so as you upgrade to new systems you should make :setting:`PASSWORD_HASHERS`, so as you upgrade to new systems you should make
sure never to *remove* entries from this list. If you do, users using sure never to *remove* entries from this list. If you do, users using
unmentioned algorithms won't be able to upgrade. Hashed passwords will be unmentioned algorithms won't be able to upgrade. Hashed passwords will be
updated when increasing (or decreasing) the number of PBKDF2 iterations or updated when increasing (or decreasing) the number of PBKDF2 iterations, bcrypt
bcrypt rounds. rounds, or argon2 attributes.
Be aware that if all the passwords in your database aren't encoded in the Be aware that if all the passwords in your database aren't encoded in the
default hasher's algorithm, you may be vulnerable to a user enumeration timing default hasher's algorithm, you may be vulnerable to a user enumeration timing