Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OMG Crypto! Securing Password with Django

OMG Crypto! Securing Password with Django

Learn how to securely store your user passwords with Django -- don't be a security n00b!

Randall Degges

April 30, 2014
Tweet

More Decks by Randall Degges

Other Decks in Technology

Transcript

  1. OMG Crypto!
    Securing passwords with Django.
    @rdegges

    View full-size slide

  2. Creating a Django User
    rdegges at Randalls-MacBook-Pro in ~/Desktop/omgcrypto
    (omgcrypto) ○ python manage.py shell
    Python 2.7.6 (default, Feb 3 2014, 10:00:57)
    [GCC 4.2.1 Compatible Apple LLVM 5.0 (clang-500.2.79)] on darwin
    Type "help", "copyright", "credits" or "license" for more information.
    (InteractiveConsole)
    >>> from django.contrib.auth.models import User
    >>> u = User.objects.create_user('rdegges', '[email protected]', 'python<3')
    >>> u.password
    u'pbkdf2_sha256$12000$TpbGqZKgAx8J$tDIEbKd+lWDJW9q/xDUOlSunzu7ZNHiV6Um11ZG39ck
    ='
    >>>

    View full-size slide

  3. How Django Does It

    View full-size slide

  4. How Ninjas Do It

    View full-size slide

  5. Using bcrypt with Django
    rdegges at Randalls-MacBook-Pro in
    ~/Desktop/omgcrypto
    (omgcrypto) ○ pip install -U bcrypt
    Downloading/unpacking bcrypt

    View full-size slide

  6. Using bcrypt with Django
    # settings.py
    PASSWORD_HASHERS = (
    'django.contrib.auth.hashers.
    BCryptSHA256PasswordHasher',
    'django.contrib.auth.hashers.BCryptPasswordHasher',
    'django.contrib.auth.hashers.PBKDF2PasswordHasher',
    'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
    'django.contrib.auth.hashers.SHA1PasswordHasher',
    'django.contrib.auth.hashers.MD5PasswordHasher',
    'django.contrib.auth.hashers.CryptPasswordHasher',
    )

    View full-size slide

  7. Password upgrading
    When users log in, if their passwords are stored with anything other than the preferred algorithm, Django will automatically upgrade the
    algorithm to the preferred one. This means that old installs of Django will get automatically more secure as users log in, and it also means that
    you can switch to new (and better) storage algorithms as they get invented.
    However, Django can only upgrade passwords that use algorithms mentioned in PASSWORD_HASHERS, so as you upgrade to new systems you
    should make sure never to remove entries from this list. If you do, users using unmentioned algorithms won’t be able to upgrade. Passwords
    will be upgraded when changing the PBKDF2 iteration count.
    https://docs.djangoproject.com/en/dev/topics/auth/passwords/#password-upgrading

    View full-size slide

  8. We make security easy.
    ● User Account Storage
    ● User Profile Storage
    ● Data Security
    ● Password Reset
    ● Email Verification
    ● Social Login

    View full-size slide