From 45daf529f87e6d2441607d03659d96d291ed8b66 Mon Sep 17 00:00:00 2001 From: Danielle McLean Date: Tue, 6 Feb 2018 16:18:15 +1100 Subject: [PATCH] Switch the preferred password hash from PBKDF2 to the newer and more secure Argon2 --- Pipfile | 1 + Pipfile.lock | 124 +++++++++++++++++++++++++++--------- lemoncurry/settings/base.py | 10 +++ 3 files changed, 106 insertions(+), 29 deletions(-) diff --git a/Pipfile b/Pipfile index f763089..a2e5d94 100644 --- a/Pipfile +++ b/Pipfile @@ -46,6 +46,7 @@ hiredis = "*" "mf2util" = "*" django-cors-headers = "*" pytest-django = "*" +"argon2-cffi" = "*" [dev-packages] diff --git a/Pipfile.lock b/Pipfile.lock index 40a3eb5..265b7df 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "192eb5641b85f4522cc08caa73a7b588eb4d67566b2c62bc506c31a5ef292c47" + "sha256": "81ebb49766d8eff61ba665dc794078637f5fc9980e59f6cb7038fa5d993c7a95" }, "host-environment-markers": { "implementation_name": "cpython", @@ -35,6 +35,34 @@ ], "version": "==0.3.0" }, + "argon2-cffi": { + "hashes": [ + "sha256:93f631fa567dbf948f26874476c9e9afb51e0a835372bf1a319df0c5aa071bfb", + "sha256:131effd5eabbe08649bc672b5d602fd6e2772b03cfec2ddb2795f9d9babe3fba", + "sha256:5f1099b0f5ee4a7148bbd323503983aa4387ab16769ff9b5c51d26f6b0f1719e", + "sha256:f732ca584e81491cc11e3d12e18cbd8c63e137b3f461f378426a6fdaaef47fb0", + "sha256:fcd5681388d1f18e4a7ee3ff7a9b68650bc04db044b5a0a832728cbce182806d", + "sha256:4c510232a96e991079a743a9310d3c9a014856cdbca644fccc496db2a1ff0e17", + "sha256:82db759b8a495aaed51aec4762b0f44e5e7ad80256e8baf512ae70cdb3b28c50", + "sha256:c60764fe7f62cc52a74f326e366c60f7aa33a1586c8d02107394a01ae9db6e91", + "sha256:07480018d77f4c7447924e6c44c5ba1789a918413fe3efaa391a097958bbd9f6", + "sha256:77a3d50e6325df79499e1220b7c38adbd30588c2f6d7c2d764fddb2d3b02e650", + "sha256:7f4b6d7c38258e76c1db293a6cf55b7e31701927fc773c5108e57578c7f8e09a", + "sha256:a14e6d99787a2972d3802615911770fcba9c904401fb0dfb60bdeb250b4c5110", + "sha256:cba2c8c539bed691513ae1bcd5a7da632d2aa2410d8b8ebdf56026eac7e2193f", + "sha256:10e702dbd98a2148d22de9524a605021bdc55d05304beb90ea801ba58c4a4f1e", + "sha256:d79c918cf8bf981cd23b43a1a547cd1eececb77f3607ba9fa7c0ec01bf1f05a5", + "sha256:dc3028ec541146924e3c45973b458a7acf390b9e9ee0b64a13ac0853109a69bc", + "sha256:3f3b48b4802e98bb9692d72108ecad2fecea969c254c17660b70ce5730bbe4a6", + "sha256:67452b1f10e873ececcea657c25d063e4bb4007e115227a53157369de5848992", + "sha256:9befaa6d9798d9771b8176174ba82160beaf1dcdbcc63cd2dc5212f723e5e2a3", + "sha256:eb3fcb55224a47b8d50830561977c64761eaad9e349af0b2241eab089af44a14", + "sha256:92b3f8f93b19081d520d911f1ce5902693edeeab2181c08aa0bb4130adba51aa", + "sha256:05dd15949be3a7d9f65807fe58fad70526023a319747054bb89da209c4071a33", + "sha256:7e4b75611b73f53012117ad21cdde7a17b32d1e99ff6799f22d827eb83a2a59b" + ], + "version": "==18.1.0" + }, "attrs": { "hashes": [ "sha256:a17a9573a6f475c99b551c0e0a812707ddda1ec9653bed04c13841404ed6f450", @@ -70,6 +98,38 @@ ], "version": "==2018.1.18" }, + "cffi": { + "hashes": [ + "sha256:5d0d7023b72794ea847725680e2156d1d01bc698a9007fccce46d03c904fe093", + "sha256:86903c0afab4a3390170aca61f753f5adad8ffff947030719ee44dedc5b68403", + "sha256:7d35678a54da0d3f1bc30e3a58a232043753d57c691875b5a75e4e062793bc9a", + "sha256:824cac33906be5c8e976f0d950924d88ec058989ef9cd2f77f5cd53cec417635", + "sha256:6ca52651f6bd4b8647cb7dee15c82619de3e13490f8e0bc0620830a2245b51d1", + "sha256:a183959a4b1e01d6172aeed356e2523ec8682596075aa6cf0003fe08da959a49", + "sha256:9532c5bc0108bd0fe43c0eb3faa2ef98a2db60fc0d4019f106b88d46803dd663", + "sha256:96652215ef328262b5f1d5647632bd342ac6b31dfbc495b21f1ab27cb06d621d", + "sha256:6c99d19225e3135f6190a3bfce2a614cae8eaa5dcaf9e0705d4ccb79a3959a3f", + "sha256:12cbf4c04c1ad07124bfc9e928c01e282feac9ec7dd72a18042d4fc56456289a", + "sha256:69c37089ccf10692361c8d14dbf4138b00b46741ffe9628755054499f06ed548", + "sha256:b8d1454ef627098dc76ccfd6211a08065e6f84efe3754d8d112049fec3768e71", + "sha256:cd13f347235410c592f6e36395ee1c136a64b66534f10173bfa4df1dc88f47d0", + "sha256:0640f12f04f257c4467075a804a4920a5d07ef91e11c525fc65d715c08231c81", + "sha256:89a8d05b96bdeca8fdc89c5fa9469a357d30f6c066262e92c0c8d2e4d3c53cae", + "sha256:a67c430a9bde73ae85b0c885fcf41b556760e42ea74c16dc70431a349989b448", + "sha256:7a831170b621e98f45ed1d5758325be19619a593924127a0a47af9a72a117319", + "sha256:796d0379102e6da5215acfcd20e8e69cca9d97309215b4ce088fe175b1c2f586", + "sha256:0fe3b3d571543a4065059d1d3d6d39f4ca6da0f2207ad13547094522e32ead46", + "sha256:678135090c311780382b1dd3f828f715583ea8a69687ed053c047d3cec6625d6", + "sha256:f4992cd7b4c867f453d44c213ee29e8fd484cf81cfece4b6e836d0982b6fa1cf", + "sha256:6d191fb20138fe1948727b20e7b96582b7b7e676135eabf72d910e10bf7bfa65", + "sha256:ec208ca16e57904dd7f4c7568665f80b1f7eb7e3214be014560c28def219060d", + "sha256:b3653644d6411bf4bd64c1f2ca3cb1b093f98c68439ade5cef328609bbfabf8c", + "sha256:f4719d0bafc5f0a67b2ec432086d40f653840698d41fa6e9afa679403dea9d78", + "sha256:87f837459c3c78d75cb4f5aadf08a7104db15e8c7618a5c732e60f252279c7a6", + "sha256:df9083a992b17a28cd4251a3f5c879e0198bb26c9e808c4647e0a18739f1d11d" + ], + "version": "==1.11.4" + }, "chardet": { "hashes": [ "sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691", @@ -161,9 +221,9 @@ }, "django-favicon-plus": { "hashes": [ - "sha256:824da4ecd3501a157d9538ed1b0672227b2a8a5a3d940bd075ba5b5c636fb400" + "sha256:3394a951d8dc611eb1ea027ad1181d7f650ca234506585b27e93d7ed06b981bf" ], - "version": "==0.0.7" + "version": "==0.0.8" }, "django-meta": { "hashes": [ @@ -320,9 +380,9 @@ }, "msgpack-python": { "hashes": [ - "sha256:69aa1eb0e13be1d3bd495ca937eae66df4431126f5cfd5491dc40370e5644853" + "sha256:23f688905bb9fbf00faa7346e72a72e670e68f3f5d94aeea5c123dd0e07de49c" ], - "version": "==0.5.1" + "version": "==0.5.2" }, "pillow": { "hashes": [ @@ -419,33 +479,39 @@ ], "version": "==1.5.2" }, + "pycparser": { + "hashes": [ + "sha256:99a8ca03e29851d96616ad0404b4aad7d9ee16f25c9f9708a11faf2810f7b226" + ], + "version": "==2.18" + }, "pycryptodome": { "hashes": [ - "sha256:a29949dca189e65974cb241a742f35ecafe514a9ac9526c5277b25fc43d46e4a", - "sha256:bbd9164c7f319b2df3509ae9c997a84f726a4c728bbf7e33fac68ca31c377a2a", - "sha256:1ff7fd63dea53cb8032e229c35b1b4f8f4dbb0ad3a410677c2da94113e323b7c", - "sha256:df91961df04856976cf197cee072e17b1e193a32dacf9d97335105a4785f6370", - "sha256:5ed92aaf3eeafa84193ef56c0e2726ac8fc6324839214e00868cb7aae15ac819", - "sha256:caff049858f0c6471005b968fafff7824d8deda72eb4a3bc649bd42d05d9d9a9", - "sha256:2a531312dd3460f25f565d8c24c63b3f02bcd4df7cbd65fc0d215cd44e2bceb0", - "sha256:84aa0aa39e3f0d948a7f73bb443bc41936d749c6dc105656703845e0cd2410ba", - "sha256:7f8c4d7a2367a8bf3d65564f33ebd8bfcc278b0d5df962579c2546b35d370b25", - "sha256:b8b8695f442b3cd03ab1114e5765dd79ea334a2ae23ad0dcba47033dd3acb0cf", - "sha256:3165de346fa68889fb258d85352df6db36c314d9e50f18215abbeb113c91eb3a", - "sha256:7ee95f2d859f6dca2b01ba4e2245e0d102b0c35aff2269a9541dc70421949411", - "sha256:8e2c3e4bf9a49be16858f81fa6a283c789b489df9d0a57cfac200dd36f1ed4f0", - "sha256:2af97d4e3734d449f1cb6be8344f1cdc3e20b7ba08c3223cf0f93ae3ad2850e7", - "sha256:fe8ff144f82302021481150d6b86aa8445288faad331fa645a91e65bddc256b4", - "sha256:84abcf9d5d36c38ca0b70b6e89fb9e9deb19eb5b18ac865157f118c733fdb495", - "sha256:b59778f268acc8c67d71a9f0a182211209e69dba55aedd53315d3a2a34378f96", - "sha256:6340ef775a2ae164e62be4390a8b382307b317a1994bec594d787c4adaada18c", - "sha256:db3a5dc5dedaaa72a0339e2ff92bd749db13111acf5d2ba4e1492a61110e493e", - "sha256:8da80b68e39efc87cf7a135cf86f183abff775779690b6a3dfe1f8640142a9ea", - "sha256:38af2a480db3cd1b19411b597a022ae478b6c2b1383a857b2af161f800a3dba3", - "sha256:3b07e5231f1ad8f5962b195d030425aa9978570d6ccf59c585e50e57a3efae2d", - "sha256:00cc7767c7bbe91f15a65a1b2ebe7a08002b8ae8221c1dcecc5c5c9ab6f79753" + "sha256:444053c24b336daa7f84bf872df7a6b9950697559926aea5775f5aa757b67a3e", + "sha256:29d3a581cfcc68ca66f7c5d4830944556ddca9e2747e214bde8028972bb1901f", + "sha256:7bda0f395fd8ef6b1fa7cded00d5cca72005ff158fc30703e1337fe32fbf2102", + "sha256:bdd8581dae617b9fbe6e8dbdd96590c02fc33eebc411b0273fd62b4d468d0bb7", + "sha256:89a0a233ed3a216ae117323d8fb0da38f1ca344dc1021559e38416cce23592a0", + "sha256:5d390f8c6562173b913f0359cd87d5bc2e3245cc88ec4edf59d8c52107f24d29", + "sha256:44ad06faf5ee589c1127a18610695a65815ed5db724b58687294ee907ec546ba", + "sha256:c8922f187fcac3b2afa6d200ef00cd4e69719799b54b4f2f2741b2e4c96ccd61", + "sha256:2aeded7095564b8a068402531c7407517cd714a0fe9872f76c69bd4400b07613", + "sha256:c88e9a04d3ed89689bc76ce0a90b018cdd4edb94ab99ce31264f2e15bad9d752", + "sha256:64a0cccf590546e7de602378f21482cb06cd1a1995cdfb121b123394c48b05c3", + "sha256:21fd74571b3579cbf36792916ad76a4ecf91581a112bb78ec48e20389dcdb912", + "sha256:11ca73effcc15596b62d601a6b3c48ea607fb5219546d406312520d63c446bf5", + "sha256:ce3110812d8823c3182fc7f841031387ee6fda27d8696da8949a99b026048e7e", + "sha256:29e8d3770bc0a0366093eb693ca40c5be56ed5a7ca214af5156a0b2e23053549", + "sha256:d9ae42a88c716a7ca9a53966562968921883211b6390eeab22e5b735dbc49f49", + "sha256:d3136fe71a37882ca457bea5917f1db5431f18f1bd91b0f7c4cec57ac4d57016", + "sha256:0ebbcdbd21b5d8569c5b44137e2071d28c14a7460afdd8b1f6398a1548c4773a", + "sha256:5ce44a755be8aef369d1057a38bff01501db0b89ba38c3292578f42ed401f355", + "sha256:1d3065b741ec8d269327e4487eacd187e0bf909e7a73d0a959da1a0918b16fa9", + "sha256:cb81302f3295a14722f6c26c44ab4023d66f8394db4c316ccf5658dbada2ac91", + "sha256:4fd2584719895ff041cf48766014ef6b5a170f5caf0e2dc735837b182e78d081", + "sha256:c5dd29e9f1b733e74311bf95d0e544e91bd1d14bc0366e8f443562d8d9920b7d" ], - "version": "==3.4.9" + "version": "==3.4.11" }, "pytest": { "hashes": [ diff --git a/lemoncurry/settings/base.py b/lemoncurry/settings/base.py index 81f50cd..6f87f58 100644 --- a/lemoncurry/settings/base.py +++ b/lemoncurry/settings/base.py @@ -157,6 +157,16 @@ DATABASES = { AUTH_USER_MODEL = 'users.User' +# Password hashers +# https://docs.djangoproject.com/en/1.11/ref/settings/#auth-password-validators +PASSWORD_HASHERS = [ + 'django.contrib.auth.hashers.Argon2PasswordHasher', + 'django.contrib.auth.hashers.PBKDF2PasswordHasher', + 'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher', + 'django.contrib.auth.hashers.BCryptSHA256PasswordHasher', + 'django.contrib.auth.hashers.BCryptPasswordHasher', +] + # Password validation # https://docs.djangoproject.com/en/1.11/ref/settings/#auth-password-validators