Switch the preferred password hash from PBKDF2 to the newer and more secure Argon2

2018-02-06 16:18:15 +11:00 · 2018-02-06 16:18:15 +11:00 · 45daf529f8
commit 45daf529f8
parent cbc24d4774
3 changed files with 106 additions and 29 deletions
--- a/lemoncurry/settings/base.py
+++ b/lemoncurry/settings/base.py
@ -157,6 +157,16 @@ DATABASES = {

 AUTH_USER_MODEL = 'users.User'

+# Password hashers
+# https://docs.djangoproject.com/en/1.11/ref/settings/#auth-password-validators
+PASSWORD_HASHERS = [
+    'django.contrib.auth.hashers.Argon2PasswordHasher',
+    'django.contrib.auth.hashers.PBKDF2PasswordHasher',
+    'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
+    'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
+    'django.contrib.auth.hashers.BCryptPasswordHasher',
+]
+
 # Password validation
 # https://docs.djangoproject.com/en/1.11/ref/settings/#auth-password-validators