Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OMG Crypto! Securing Password with Django

OMG Crypto! Securing Password with Django

Learn how to securely store your user passwords with Django -- don't be a security n00b!

Randall Degges

April 30, 2014
Tweet

More Decks by Randall Degges

Other Decks in Technology

Transcript

  1. Creating a Django User rdegges at Randalls-MacBook-Pro in ~/Desktop/omgcrypto (omgcrypto)

    ◦ python manage.py shell Python 2.7.6 (default, Feb 3 2014, 10:00:57) [GCC 4.2.1 Compatible Apple LLVM 5.0 (clang-500.2.79)] on darwin Type "help", "copyright", "credits" or "license" for more information. (InteractiveConsole) >>> from django.contrib.auth.models import User >>> u = User.objects.create_user('rdegges', '[email protected]', 'python<3') >>> u.password u'pbkdf2_sha256$12000$TpbGqZKgAx8J$tDIEbKd+lWDJW9q/xDUOlSunzu7ZNHiV6Um11ZG39ck =' >>>
  2. Using bcrypt with Django # settings.py PASSWORD_HASHERS = ( 'django.contrib.auth.hashers.

    BCryptSHA256PasswordHasher', 'django.contrib.auth.hashers.BCryptPasswordHasher', 'django.contrib.auth.hashers.PBKDF2PasswordHasher', 'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher', 'django.contrib.auth.hashers.SHA1PasswordHasher', 'django.contrib.auth.hashers.MD5PasswordHasher', 'django.contrib.auth.hashers.CryptPasswordHasher', )
  3. Password upgrading When users log in, if their passwords are

    stored with anything other than the preferred algorithm, Django will automatically upgrade the algorithm to the preferred one. This means that old installs of Django will get automatically more secure as users log in, and it also means that you can switch to new (and better) storage algorithms as they get invented. However, Django can only upgrade passwords that use algorithms mentioned in PASSWORD_HASHERS, so as you upgrade to new systems you should make sure never to remove entries from this list. If you do, users using unmentioned algorithms won’t be able to upgrade. Passwords will be upgraded when changing the PBKDF2 iteration count. https://docs.djangoproject.com/en/dev/topics/auth/passwords/#password-upgrading
  4. We make security easy. • User Account Storage • User

    Profile Storage • Data Security • Password Reset • Email Verification • Social Login