Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Fixed #19562 -- cleaned up password storage docs

  • Loading branch information...
commit c8eff0dbcb0936aac2748a7a896d08f34b54c50f 1 parent b740da3
Preston Holmes authored January 04, 2013

Showing 1 changed file with 16 additions and 13 deletions. Show diff stats Hide diff stats

  1. 29  docs/topics/auth/passwords.txt
29  docs/topics/auth/passwords.txt
@@ -14,17 +14,19 @@ How Django stores passwords
14 14
 ===========================
15 15
 
16 16
 Django provides a flexible password storage system and uses PBKDF2 by default.
17  
-Older versions of Django used SHA1, and other algorithms couldn't be chosen.
18 17
 
19 18
 The :attr:`~django.contrib.auth.models.User.password` attribute of a
20 19
 :class:`~django.contrib.auth.models.User` object is a string in this format::
21 20
 
22  
-    algorithm$hash
  21
+    <algorithm>$<iterations>$<salt>$<hash>
23 22
 
24  
-That's a storage algorithm, and hash, separated by the dollar-sign
25  
-character. The algorithm is one of a number of one way hashing or password
26  
-storage algorithms Django can use; see below. The hash is the result of the one-
27  
-way function.
  23
+Those are the components used for storing a User's password, separated by the
  24
+dollar-sign character and consist of: the hashing algorithm, the number of
  25
+algorithm iterations (work factor), the random salt, and the resulting password
  26
+hash.  The algorithm is one of a number of one-way hashing or password storage
  27
+algorithms Django can use; see below. Iterations describe the number of times
  28
+the algorithm is run over the hash. Salt is the random seed used and the hash
  29
+is the result of the one-way function.
28 30
 
29 31
 By default, Django uses the PBKDF2_ algorithm with a SHA256 hash, a
30 32
 password stretching mechanism recommended by NIST_. This should be
@@ -36,13 +38,14 @@ algorithm, or even use a custom algorithm to match your specific
36 38
 security situation. Again, most users shouldn't need to do this -- if
37 39
 you're not sure, you probably don't.  If you do, please read on:
38 40
 
39  
-Django chooses the an algorithm by consulting the :setting:`PASSWORD_HASHERS`
40  
-setting. This is a list of hashing algorithm classes that this Django
41  
-installation supports. The first entry in this list (that is,
42  
-``settings.PASSWORD_HASHERS[0]``) will be used to store passwords, and all the
43  
-other entries are valid hashers that can be used to check existing passwords.
44  
-This means that if you want to use a different algorithm, you'll need to modify
45  
-:setting:`PASSWORD_HASHERS` to list your preferred algorithm first in the list.
  41
+Django chooses the algorithm to use by consulting the
  42
+:setting:`PASSWORD_HASHERS` setting. This is a list of hashing algorithm
  43
+classes that this Django installation supports. The first entry in this list
  44
+(that is, ``settings.PASSWORD_HASHERS[0]``) will be used to store passwords,
  45
+and all the other entries are valid hashers that can be used to check existing
  46
+passwords.  This means that if you want to use a different algorithm, you'll
  47
+need to modify :setting:`PASSWORD_HASHERS` to list your preferred algorithm
  48
+first in the list.
46 49
 
47 50
 The default for :setting:`PASSWORD_HASHERS` is::
48 51
 

0 notes on commit c8eff0d

Please sign in to comment.
Something went wrong with that request. Please try again.