{ "info": { "author": "Fred Wenzel", "author_email": "fwenzel@mozilla.com", "bugtrack_url": null, "classifiers": [ "Development Status :: 4 - Beta", "Environment :: Web Environment", "Environment :: Web Environment :: Mozilla", "Framework :: Django", "Intended Audience :: Developers", "License :: OSI Approved :: BSD License", "Operating System :: OS Independent", "Programming Language :: Python", "Topic :: Software Development :: Libraries :: Python Modules" ], "description": "Strong password hashes for Django\n=================================\n\nThis is a monkey-patch for Django, adding strong password hashing to be used\nby default.\n\nGetting started\n---------------\n\nInstall this app using ``easy_install`` or ``pip``, and enable it by adding\nthe following to your ``settings.py`` file:\n\n INSTALLED_APPS = (\n # ...\n 'django.contrib.auth',\n 'django_sha2', # Load after auth to monkey-patch it.\n # ...\n )\n PWD_ALGORITHM = 'bcrypt' # one of: bcrypt, sha512, sha512b64, sha256\n BCRYPT_ROUNDS = 12 # optional. 12 is the default. Only needed for bcrypt.\n\nAdd something like the following to your ``settings_local.py`` file, and keep\nit secret:\n\n HMAC_KEYS = {\n '2011-01-01': 'ThisisASharedKey',\n '2010-06-01': 'OldSharedKey',\n '2010-01-01': 'EvenOlderSharedKey'\n }\n\n``HMAC_KEYS`` is a dictionary ``{key-id: shared-secret}``. You only need one\nkey to start. The dictionary key can be an ISO date, or almost anything else,\nbut the latest key will be determined by sorting.\n\n**Note:** If you don't have a ``settings_local.py`` file or similar, make sure\nto use ``from settings_local import *`` at the end of ``settings.py`` and add\nit to the ignore file for your version control system, so it becomes part of\nyour Django settings, but is not committed to the repository.\n\nThis change is backwards-compatible (i.e., existing SHA-1 hashes in the\ndatabase keep on working), and does not require database changes\\*.\n\n\\*: unless you're using SHA-512 (see below).\n\n\nThe default: Bcrypt and HMAC\n----------------------------\n\nA quick overview over the default hash algorithm: It uses a combination of\nBcrypt and HMAC with SHA-512. [HMAC][hmac] is a hash function that involves\nthe use of a secret key -- the ``HMAC_KEYS`` you entered above will be used\nfor the calculation.\n\nThe reason a machine-local secret is involved in the calculation is so that\nif an attacker gains access to a database, the data will be useless without\n_also_ having gained file-system access to steal the local secret.\n\n``HMAC_KEYS`` is a dictionary so that you can change the key periodically\nand deprecate old keys, or revoke keys altogether that are too old or you\nfear might have leaked.\n\nSecond, the hash is hashed again using [bcrypt][bcrypt], which is\ncomputationally hard and therefore protects better against brute-force offline\nattacks.\n\n[hmac]: http://en.wikipedia.org/wiki/HMAC\n[bcrypt]: http://bcrypt.sourceforge.net/\n\n\nTransparent password rehashing\n------------------------------\nIn case you have existing users with weaker password hashes (like SHA-1) in\nthe database, django\\_sha2 will **automatically rehash** their password in the\ndatabase with a your currently chosen hash algorithm during their next login.\n\nThis is enabled by default. If you don't like it, set this in your settings\nfile:\n\n PWD_REHASH = False\n\nSimilarly, django\\_sha2 automatically updates users' password hashes to the\n**latest HMAC key** on login, which is usually what you want, so it is enabled\nby default. To disable, set this setting:\n\n PWD_HMAC_REKEY = False\n\n\nA note on SHA-512\n-----------------\nDjango's default password field is limited to 128 characters, which does not\nfit a hex-encoded SHA512 hash. In order to not require a database migration\nfor every project that uses this, we encode the SHA512 hash in Base 64 as\nopposed to hex. To use this, set your hash backend as follows:\n\n PWD_ALGORITHM = 'sha512b64'\n\nIf you want to use hex-encoded SHA512 instead, use the following:\n\n PWD_ALGORITHM = 'sha512'\n\nBe advised, however, that you need to ensure your database's password field can\nhold at least 156 characters.\n\nWhen starting a new project, it is safe to use the Sha512 backend straight away:\ndjango\\_sha2 will create the password field with a ``max_length`` of 255 when\nrunning ``syncdb`` for the first time.\n\n\nHistory\n-------\nThis started off as a monkey-patch for SHA-256 in Django and, over SHA-512,\nturned into a strong hash library featuring bcrypt and hmac support.\n\nFor the initial idea, read the [blog post][blog] about it.\n\n[blog]: http://fredericiana.com/2010/10/12/adding-support-for-stronger-password-hashes-to-django/\n\nUsing django 1.4\n-------\n\nDjango 1.4 allows us to create our own password hashers. Because of some of the\ndesign choices of django's model, we have to generate a hasher class for each\nof our HMAC_KEYS. Lucky for you, we have code to help you! Define\nBASE_PASSWORD_HASHERS for all hashers you might use to decrypt something in\nyour database (i.e. if in the past you used SHA256, make sure its in this\nsetting). Form there, if you follow the code below, all your passwords will\nautomatically stay up to date with the latest algorthim/hmac_key.\n\nThis is an example settings file snippet:\n\n```python\nHMAC_KEYS = {\n '2010-06-01': 'OldSharedKey',\n '2011-01-01': 'ThisisASharedKey',\n '2010-01-01': 'EvenOlderSharedKey'\n}\n\nBASE_PASSWORD_HASHERS = (\n 'django_sha2.hashers.BcryptHMACCombinedPasswordVerifier',\n 'django_sha2.hashers.SHA512PasswordHasher',\n 'django_sha2.hashers.SHA256PasswordHasher',\n 'django.contrib.auth.hashers.SHA1PasswordHasher',\n 'django.contrib.auth.hashers.MD5PasswordHasher',\n 'django.contrib.auth.hashers.UnsaltedMD5PasswordHasher',\n)\n\nfrom django_sha2 import get_password_hashers\nPASSWORD_HASHERS = get_password_hashers(BASE_PASSWORD_HASHERS, HMAC_KEYS)\n```", "description_content_type": null, "docs_url": null, "download_url": "UNKNOWN", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "http://github.com/fwenzel/django-sha2", "keywords": null, "license": "BSD", "maintainer": null, "maintainer_email": null, "name": "django-sha2", "package_url": "https://pypi.org/project/django-sha2/", "platform": "UNKNOWN", "project_url": "https://pypi.org/project/django-sha2/", "project_urls": { "Download": "UNKNOWN", "Homepage": "http://github.com/fwenzel/django-sha2" }, "release_url": "https://pypi.org/project/django-sha2/0.4/", "requires_dist": null, "requires_python": null, "summary": "Enable strong password hashes (bcrypt+hmac or SHA-2) in Django by default.", "version": "0.4" }, "last_serial": 790590, "releases": { "0.4": [ { "comment_text": "", "digests": { "md5": "64dddf0da5f25280a5ce2cd30367f8ad", "sha256": "b06a86451a99d6c26bfa65082999dbf658e087e596e9292cce688b53eabaaada" }, "downloads": -1, "filename": "django-sha2-0.4.tar.gz", "has_sig": false, "md5_digest": "64dddf0da5f25280a5ce2cd30367f8ad", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 8778, "upload_time": "2012-12-15T00:40:37", "url": "https://files.pythonhosted.org/packages/81/c9/2e12725dc294766063d51a1bcaf867eb266eabc3dda5057a22af77092306/django-sha2-0.4.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "64dddf0da5f25280a5ce2cd30367f8ad", "sha256": "b06a86451a99d6c26bfa65082999dbf658e087e596e9292cce688b53eabaaada" }, "downloads": -1, "filename": "django-sha2-0.4.tar.gz", "has_sig": false, "md5_digest": "64dddf0da5f25280a5ce2cd30367f8ad", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 8778, "upload_time": "2012-12-15T00:40:37", "url": "https://files.pythonhosted.org/packages/81/c9/2e12725dc294766063d51a1bcaf867eb266eabc3dda5057a22af77092306/django-sha2-0.4.tar.gz" } ] }