Upgrade to argon password hasher.

The Argon2 password hasher is the currently recommended password hasher for Django. Fixes zulip#3362.
andersk · Feb 23, 2017 · 483a351 · 483a351
1 parent 5efb072
commit 483a351
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 1 deletion.
diff --git a/requirements/common.txt b/requirements/common.txt
@@ -178,3 +178,6 @@ pycodestyle==2.2.0
 # Needed for link preview
 beautifulsoup4==4.5.3
 git+https://github.com/rafaelmartins/pyoembed.git@eb9901917c2a44b49e2887c077ead84a722c50dc#egg=pyoembed
+
+# Needed for password hashing
+argon2-cffi==16.3.0
diff --git a/version.py b/version.py
@@ -1,2 +1,2 @@
 ZULIP_VERSION = "1.5.1+git"
-PROVISION_VERSION = '4.5'
+PROVISION_VERSION = '4.6'
diff --git a/zproject/settings.py b/zproject/settings.py
@@ -488,6 +488,11 @@ def get_secret(key):
     # Also we auto-generate passwords for the default users which you
     # can query using ./manage.py print_initial_password
     INITIAL_PASSWORD_SALT = get_secret("initial_password_salt")
+else:
+    # For production, use the best password hashing algorithm: Argon2
+    # Zulip was originally on PBKDF2 so we need it for compatibility
+    PASSWORD_HASHERS = ('django.contrib.auth.hashers.Argon2PasswordHasher',
+                        'django.contrib.auth.hashers.PBKDF2PasswordHasher')
 
 ########################################################################
 # API/BOT SETTINGS