upgrade to argon password hasher

Fixes #3362
zulip · Jan 21, 2017 · a5a768c · a5a768c
1 parent b4b6516
commit a5a768c
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 1 deletion.
diff --git a/requirements/common.txt b/requirements/common.txt
@@ -175,3 +175,6 @@ pycodestyle==2.1.0
 # Needed for link preview
 beautifulsoup4==4.5.1
 git+https://github.com/rafaelmartins/pyoembed.git@eb9901917c2a44b49e2887c077ead84a722c50dc#egg=pyoembed
+
+# Needed for password hashing
+argon2-cffi==16.3.0
diff --git a/zproject/settings.py b/zproject/settings.py
@@ -490,12 +490,23 @@ def get_secret(key):
     # PRODUCTION.  Saves a bunch of time.
     PASSWORD_HASHERS = (
                 'django.contrib.auth.hashers.SHA1PasswordHasher',
-                'django.contrib.auth.hashers.PBKDF2PasswordHasher'
+                'django.contrib.auth.hashers.PBKDF2PasswordHasher',
+                'django.contrib.auth.hashers.Argon2PasswordHasher'
             )
     # Also we auto-generate passwords for the default users which you
     # can query using ./manage.py print_initial_password
     INITIAL_PASSWORD_SALT = get_secret("initial_password_salt")
 
+# Use best password hashing algorithm argon2 for PRODUCTION
+if PRODUCTION:
+    PASSWORD_HASHERS = (
+                'django.contrib.auth.hashers.Argon2PasswordHasher',
+                'django.contrib.auth.hashers.PBKDF2PasswordHasher',
+                'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
+                'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
+                'django.contrib.auth.hashers.BCryptPasswordHasher'
+            )
+
 ########################################################################
 # API/BOT SETTINGS
 ########################################################################