Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Added password hashing improvements to 1.4 alpha 1 release notes.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@17258 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 2d1a681f77259e9652c357a634920d7f8f1ecd97 1 parent d49fd62
Paul McMillan authored December 23, 2011

Showing 1 changed file with 17 additions and 0 deletions. Show diff stats Hide diff stats

  1. 17  docs/releases/1.4-alpha-1.txt
17  docs/releases/1.4-alpha-1.txt
@@ -99,6 +99,23 @@ allows you to fix a very common performance problem in which your code ends up
99 99
 doing O(n) database queries (or worse) if objects on your primary ``QuerySet``
100 100
 each have many related objects that you also need.
101 101
 
  102
+Improved password hashing
  103
+~~~~~~~~~~~~~~~~~~~~~~~~~
  104
+
  105
+Django's auth system (``django.contrib.auth``) stores passwords using a one-way
  106
+algorithm. Django 1.3 uses the SHA1_ algorithm, but increasing processor speeds
  107
+and theoretical attacks have revealed that SHA1 isn't as secure as we'd like.
  108
+Thus, Django 1.4 introduces a new password storage system: by default Django now
  109
+uses the PBKDF2_ algorithm (as recommended by NIST_). You can also easily choose
  110
+a different algorithm (including the popular bcrypt_ algorithm). For more
  111
+details, see :ref:`auth_password_storage`.
  112
+
  113
+.. _sha1: http://en.wikipedia.org/wiki/SHA1
  114
+.. _pbkdf2: http://en.wikipedia.org/wiki/PBKDF2
  115
+.. _nist: http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf
  116
+.. _bcrypt: http://en.wikipedia.org/wiki/Bcrypt
  117
+
  118
+
102 119
 HTML5 Doctype
103 120
 ~~~~~~~~~~~~~
104 121
 

0 notes on commit 2d1a681

Please sign in to comment.
Something went wrong with that request. Please try again.