Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is the format in which Django passwords are stored in the database?

Tags:

python

django

You know how django passwords are stored like this:

sha1$a1976$a36cc8cbf81742a8fb52e221aaeab48ed7f58ab4 

and that is the "hashtype $salt $hash". My question is, how do they get the $hash? Is it the password and salt combined and then hashed or is something else entirely?

like image 728
Joe Avatar asked Apr 14 '09 23:04

Joe


People also ask

Which field is used for password in Django?

The Django's Forms The above form has two inputs - a text field named username (the name attribute in the html input field is what determines the name of input field) and a password field named password - and a submit button. The form uses POST method to submit form data to server.

Does Django automatically hash passwords?

Django automatically hashes password when the backend set password using `User. set_password` or `User.

What is the default username and password for Django admin?

Username: ola Email address: [email protected] Password: Password (again): Superuser created successfully. Return to your browser. Log in with the superuser's credentials you chose; you should see the Django admin dashboard.


2 Answers

As always, use the source:

# root/django/trunk/django/contrib/auth/models.py # snip def get_hexdigest(algorithm, salt, raw_password):     """     Returns a string of the hexdigest of the given plaintext password and salt     using the given algorithm ('md5', 'sha1' or 'crypt').     """     raw_password, salt = smart_str(raw_password), smart_str(salt)     if algorithm == 'crypt':         try:             import crypt         except ImportError:             raise ValueError('"crypt" password algorithm not supported in this environment')         return crypt.crypt(raw_password, salt)      if algorithm == 'md5':         return md5_constructor(salt + raw_password).hexdigest()     elif algorithm == 'sha1':         return sha_constructor(salt + raw_password).hexdigest()     raise ValueError("Got unknown password algorithm type in password.") 

As we can see, the password digests are made by concatenating the salt with the password using the selected hashing algorithm. then the algorithm name, the original salt, and password hash are concatenated, separated by "$"s to form the digest.

# Also from root/django/trunk/django/contrib/auth/models.py def check_password(raw_password, enc_password):     """     Returns a boolean of whether the raw_password was correct. Handles     encryption formats behind the scenes.     """     algo, salt, hsh = enc_password.split('$')     return hsh == get_hexdigest(algo, salt, raw_password) 

To validate passwords django just verifies that the same salt and same password result in the same digest.

like image 152
SingleNegationElimination Avatar answered Oct 18 '22 10:10

SingleNegationElimination


According to the docs:

Hashtype is either sha1 (default), md5 or crypt -- the algorithm used to perform a one-way hash of the password. Salt is a random string used to salt the raw password to create the hash.

According to the code of set_password:

def set_password(self, raw_password):     import random     algo = 'sha1'     salt = get_hexdigest(algo, str(random.random()), str(random.random()))[:5]     hsh = get_hexdigest(algo, salt, raw_password)     self.password = '%s$%s$%s' % (algo, salt, hsh) 

As the documentation describes, the hash is the salt, algorithm, and password, hashed.

like image 43
Paolo Bergantino Avatar answered Oct 18 '22 09:10

Paolo Bergantino