fwenzel/django-sha2 fwenzel/django-sha2

  • Stars
    star
    110
  • Rank 314,947 (Top 7 %)
  • Language
    Python
  • License
    BSD 3-Clause "New...
  • Created over 13 years ago
  • Updated almost 3 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
fwenzel/django-sha2
github

fwenzel

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Add strong (but backwards-compatible) password hashing support to Django 1.3 and 1.4 (SHA2, bcrypt+hmac).

Strong password hashes for Django

This is a monkey-patch for Django, adding strong password hashing to be used by default.

Getting started

Install this app using easy_install or pip, and enable it by adding the following to your settings.py file:

INSTALLED_APPS = (
    # ...
    'django.contrib.auth',
    'django_sha2',  # Load after auth to monkey-patch it.
    # ...
)
PWD_ALGORITHM = 'bcrypt'  # one of: bcrypt, sha512, sha512b64, sha256
BCRYPT_ROUNDS = 12  # optional. 12 is the default. Only needed for bcrypt.

Add something like the following to your settings_local.py file, and keep it secret:

HMAC_KEYS = {
    '2011-01-01': 'ThisisASharedKey',
    '2010-06-01': 'OldSharedKey',
    '2010-01-01': 'EvenOlderSharedKey'
}

HMAC_KEYS is a dictionary {key-id: shared-secret}. You only need one key to start. The dictionary key can be an ISO date, or almost anything else, but the latest key will be determined by sorting.

Note: If you don't have a settings_local.py file or similar, make sure to use from settings_local import * at the end of settings.py and add it to the ignore file for your version control system, so it becomes part of your Django settings, but is not committed to the repository.

This change is backwards-compatible (i.e., existing SHA-1 hashes in the database keep on working), and does not require database changes*.

*: unless you're using SHA-512 (see below).

The default: Bcrypt and HMAC

A quick overview over the default hash algorithm: It uses a combination of Bcrypt and HMAC with SHA-512. HMAC is a hash function that involves the use of a secret key -- the HMAC_KEYS you entered above will be used for the calculation.

The reason a machine-local secret is involved in the calculation is so that if an attacker gains access to a database, the data will be useless without also having gained file-system access to steal the local secret.

HMAC_KEYS is a dictionary so that you can change the key periodically and deprecate old keys, or revoke keys altogether that are too old or you fear might have leaked.

Second, the hash is hashed again using bcrypt, which is computationally hard and therefore protects better against brute-force offline attacks.

Transparent password rehashing

In case you have existing users with weaker password hashes (like SHA-1) in the database, django_sha2 will automatically rehash their password in the database with a your currently chosen hash algorithm during their next login.

This is enabled by default. If you don't like it, set this in your settings file:

PWD_REHASH = False

Similarly, django_sha2 automatically updates users' password hashes to the latest HMAC key on login, which is usually what you want, so it is enabled by default. To disable, set this setting:

PWD_HMAC_REKEY = False

A note on SHA-512

Django's default password field is limited to 128 characters, which does not fit a hex-encoded SHA512 hash. In order to not require a database migration for every project that uses this, we encode the SHA512 hash in Base 64 as opposed to hex. To use this, set your hash backend as follows:

PWD_ALGORITHM = 'sha512b64'

If you want to use hex-encoded SHA512 instead, use the following:

PWD_ALGORITHM = 'sha512'

Be advised, however, that you need to ensure your database's password field can hold at least 156 characters.

When starting a new project, it is safe to use the Sha512 backend straight away: django_sha2 will create the password field with a max_length of 255 when running syncdb for the first time.

History

This started off as a monkey-patch for SHA-256 in Django and, over SHA-512, turned into a strong hash library featuring bcrypt and hmac support.

For the initial idea, read the blog post about it.

Using django 1.4

Django 1.4 allows us to create our own password hashers. Because of some of the design choices of django's model, we have to generate a hasher class for each of our HMAC_KEYS. Lucky for you, we have code to help you! Define BASE_PASSWORD_HASHERS for all hashers you might use to decrypt something in your database (i.e. if in the past you used SHA256, make sure its in this setting). Form there, if you follow the code below, all your passwords will automatically stay up to date with the latest algorthim/hmac_key.

This is an example settings file snippet:

HMAC_KEYS = {
    '2010-06-01': 'OldSharedKey',
    '2011-01-01': 'ThisisASharedKey',
    '2010-01-01': 'EvenOlderSharedKey'
}

BASE_PASSWORD_HASHERS = (
    'django_sha2.hashers.BcryptHMACCombinedPasswordVerifier',
    'django_sha2.hashers.SHA512PasswordHasher',
    'django_sha2.hashers.SHA256PasswordHasher',
    'django.contrib.auth.hashers.SHA1PasswordHasher',
    'django.contrib.auth.hashers.MD5PasswordHasher',
    'django.contrib.auth.hashers.UnsaltedMD5PasswordHasher',
)

from django_sha2 import get_password_hashers
PASSWORD_HASHERS = get_password_hashers(BASE_PASSWORD_HASHERS, HMAC_KEYS)

More Repositories

1

upshot

An automatic screen shot uploader for OS X.
Objective-C
109
star
2

django-gearman

A convenience wrapper for Gearman clients and workers in Django/Python
Python
46
star
3

copy-shorturl

A Firefox extension to quickly create a short URL for the current page and copy it to the clipboard.
JavaScript
36
star
4

python-bcrypt

A pure Python implementation of bcrypt. If you're in your right mind, you don't use this in production!
Python
28
star
5

reporter

NOTE: The Firefox Input codebase is now available under github.com/mozilla/input.mozilla.org.
Python
25
star
6

pdftk

An unofficial mirror of the pdftk source code.
Java
19
star
7

collage

Make an image sequence ("collage") from a set of input images.
Python
18
star
8

serpent

An Open Web app version of the classic game "snake".
JavaScript
14
star
9

firekey

A 2-factor auth (TOTP) token generator for the Web
JavaScript
13
star
10

copy-url

A Firefox Extension to copy the current page's canonical URL to the clipboard.
JavaScript
7
star
11

x-meme

A web component for creating memes. Obviously.
JavaScript
5
star
12

synacor-challenge

My solution to Synacor's OSCON 2012 programming challenge.
Python
5
star
13

ciaociao

A Bonjour/Zeroconf service discovery add-on for Firefox
JavaScript
5
star
14

powerdns-dyndns

Convenience scripts for running a dynamic DNS server based on PowerDNS
PHP
5
star
15

secret-squirrel

A CAS-based Single-Sign-On service provider for Mozilla web apps.
Python
5
star
16

gearman-php

A convenience wrapper for Gearman clients and workers in PHP
PHP
5
star
17

luckybar

Make the location bar auto-search feature on Firefox 4 do an I'm-Feeling-Lucky search, like Firefox 3.x used to do.
JavaScript
4
star
18

gmailbackup-toolkit

A collection of useful tools for backing up your gmail messages via POP3
Python
4
star
19

github-simple-backup

A simple, simple backup script for public github repositories.
Python
4
star
20

pi-cam

A little web app turning my Raspberry Pi into a remote webcam
Python
4
star
21

pontoon

A proof-of-concept implementation of an in-place web localization tool
JavaScript
4
star
22

hipstergram

A highly distinguished image manipulation webapp
JavaScript
4
star
23

wp-digest-post

Wordpress plugin that fetches an RSS feed on a regular basis (usually daily) and posts a list of links to the newest articles as a digest post to your blog.
PHP
3
star
24

csr-multigen

Script to generate a Certificate Signing Request (CSR) for an SSL certificate containing multiple host names. To be used with CACert.
Shell
3
star
25

macscripts

A number of scripts that (hopefully) do useful things on Macs.
3
star
26

refrigerateur

A Firefox add-on to automatically collect and store the gifs from chat.meatspac.es as they roll in.
JavaScript
2
star
27

imagetwist

A Firefox add-on rotating images on demand or by reading their EXIF data.
JavaScript
2
star
28

millimeter

A Django-based URL shortener that tries to be less of a pain than the others. You decide.
JavaScript
2
star
29

wp-adsense-time

A wordpress plugin to show Google Adsense ads in blog entries, only after a specific time has passed since it was published.
PHP
2
star
30

8ball

A magic 8-ball (for Firefox OS and the Web).
JavaScript
2
star
31

open-private

Adds a menu item to Firefox's right-click menu to open a link in private browsing mode.
JavaScript
2
star
32

update-expired-podcasts

Fork of Doug's excellent "Update Expired Podcasts" script
1
star
33

qrcoder

Simple QR code generator
CSS
1
star
34

presentations

Slides for some presentations I've given
CSS
1
star
35

passcode

A hangman-style web game
JavaScript
1
star
36

standardissue

My wordpress theme on fredericiana.com: a significantly modified version of standardissue from freecsstemplates
PHP
1
star
37

app-stub

Quick and Dirty (and useless) Web App Test
JavaScript
1
star
38

imdbflix

A Firefox add-on that adds IMDB links to every movie title on Netflix.
JavaScript
1
star
39

strassendeutsch

An experimental dictionary for German slang terms, using Flask, MongoDB, and ElasticSearch.
Python
1
star