Is it possible to change the Hashing algorithm in django_auth?

Asked Jan 09 '12 at 20:09

Active Feb 17 '20 at 08:39

Viewed 2,383 times

2

I have a running wiki with users. Now I want to write an app in Django to do a specific task.

I have to use my "old" users/groups database (which has a different hashing algorithm for passwords then django_auth) and sync it every now and then since my users already have a login which has to be the same everywhere.

I want to use django_auth as well.

Is it possible to change the Hashing algorithm in django_auth?

so that django auth uses a function I write to check whether the password inserted is right or wrong.

Thanks in advance, Senad. =)

asked Jan 09 '12 at 20:09

Senči

911
2
10
25

3 Answers3

6

Quoting How Django stores passwords docs:

Django chooses the algorithm to use by consulting the PASSWORD_HASHERS setting. This is a list of hashing algorithm classes that this Django installation supports. The first entry in this list (that is, settings.PASSWORD_HASHERS[0]) will be used to store passwords, and all the other entries are valid hashers that can be used to check existing passwords. This means that if you want to use a different algorithm, you’ll need to modify PASSWORD_HASHERS to list your preferred algorithm first in the list.

You can write your custom one, just copy paste a hasher from https://github.com/django/django/blob/master/django/contrib/auth/hashers.py, make your customizations and add to settings:

PASSWORD_HASHERS = [
    'myApp.myUtils.CesarPasswordHasher',
    'django.contrib.auth.hashers.PBKDF2PasswordHasher',
    'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
    'django.contrib.auth.hashers.Argon2PasswordHasher',
    'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
]

edited Feb 17 '20 at 08:39

answered Jan 09 '12 at 20:26

dani herrera

48,760
8
117
177

i would vote your comment up but i am not allowed yet =) have a nice day – Senči Jan 10 '12 at 19:04
Link was broken. – shaik moeed Feb 17 '20 at 07:25
1

hi @shaikmoeed, thanks, was an answer from '12! Updated. – dani herrera Feb 17 '20 at 08:39
Thanks for updating. If I'm using `django_auth_ldap` library, will these hashers applicable to LDAP logins? Can you please look into [this](https://stackoverflow.com/q/60223293/8353711) in your free time? – shaik moeed Feb 17 '20 at 09:49

1

You can write a custom authentication backend that includes its own authenticate function to check passwords according to your custom hash. Of course, you'll need some way of distinguishing between the different types of users.

answered Jan 09 '12 at 20:27

Daniel Roseman

588,541
66
880
895

what do you mean by "the different types of users" ? – Senči Jan 10 '12 at 15:23
I understood you to mean that you had some users for whom you wanted to use the existing django-auth hashing. – Daniel Roseman Jan 10 '12 at 15:25
nope, i want to use the existing wiki-database users and groups. sync that when required (e.g. login failed). thanks anyways :) – Senči Jan 10 '12 at 15:45
Cool, well just ignore that bit of my answer - the custom authentication backend is still the way to go. – Daniel Roseman Jan 10 '12 at 15:57

1

Yes it's possible. See django-bcyrpt for an example. It will be easier to change in Django 1.4: https://docs.djangoproject.com/en/dev/releases/1.4/#improved-password-hashing

answered Jan 09 '12 at 20:30

Mark Lavin

24,664
5
76
70