Django upgrade from 1.1 to 1.5 auth app password encryption

Question

I am working on a upgrade from django 1.1 to django 1.5 and have followed this guide: Upgrade Django from 1.1 to 1.5.1 apart from reading the manuals and release notes.

One thing I didn't expect though is the backward incompability of the auth app password encryption which just now I found out that since django 1.4, the encryption algorithm has been updated fro using sha1 to using PBKDF2.

Since I have tons of users already registered, there is no way I can ask them to recreate their accounts. So I wonder if any one of you have had similar a problem and found a way to get around it.

Please let me know if there is any kind of solution for this so my users are still valid with their current password.

Thanks! TS

Answer 1

Have a look at the docs: https://docs.djangoproject.com/en/1.5/topics/auth/passwords/#how-django-stores-passwords

It says, "When users log in, if their passwords are stored with anything other than the preferred algorithm, Django will automatically upgrade the algorithm to the preferred one. This means that old installs of Django will get automatically more secure as users log in, and it also means that you can switch to new (and better) storage algorithms as they get invented."

So I think if you just make sure bot sha1 and PBKDF2 are in PASSWORD_HASHERS (they are by default), it should just work. Users will still be able to log in with the old hash, and django will automatically update their password to the new.

If you don't want django to update the passwords automatically, you just have to put sha1 and the top of the PASSWORD_HASHERS list.