upgrade to argon password hasher

Fixes #3362
zulip · Feb 3, 2017 · 3f232d1 · 3f232d1
1 parent b4b6516
commit 3f232d1
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/requirements/common.txt b/requirements/common.txt
@@ -175,3 +175,6 @@ pycodestyle==2.1.0
 # Needed for link preview
 beautifulsoup4==4.5.1
 git+https://github.com/rafaelmartins/pyoembed.git@eb9901917c2a44b49e2887c077ead84a722c50dc#egg=pyoembed
+
+# Needed for password hashing
+argon2-cffi==16.3.0
diff --git a/zproject/settings.py b/zproject/settings.py
@@ -496,6 +496,11 @@ def get_secret(key):
     # can query using ./manage.py print_initial_password
     INITIAL_PASSWORD_SALT = get_secret("initial_password_salt")
 
+# Use best password hashing algorithm argon2 for PRODUCTION
+if PRODUCTION:
+    PASSWORD_HASHERS = ('django.contrib.auth.hashers.Argon2PasswordHasher',
+                        'django.contrib.auth.hashers.PBKDF2PasswordHasher')
+
 ########################################################################
 # API/BOT SETTINGS
 ########################################################################