Can a simple MD5 hash converted to a django password?

Question

I have a legacy users database which I would like to integrate into a new Django project.

The users passwords are saved in the old database with a plain and simple MD5 encryption(PHP md5() function), without any salting whatsoever.

Overriding the check_password and set_password of django.contrib.auth is not an option, since I already have new users active on the new Django project.

Looked into passlib, but unfortunately it doesn't do what is needed to be done on this specific project.

So basically, my only option is to convert the hashes somehow into the Django salted format, or implement a custom check_password method, that will determine if the password is plain MD5 or a django password(possibly even by a parameter in my Custom user model, something like legacy=True boolean flag).

Any help is much appreciated.

Answer 1

The Django contrib.auth.hashers module already supports plain, unsalted MD5 passwords:

# Ancient versions of Django created plain MD5 passwords and accepted
# MD5 passwords with an empty salt.
if ((len(encoded) == 32 and '$' not in encoded) or
        (len(encoded) == 37 and encoded.startswith('md5$$'))):
    algorithm = 'unsalted_md5'

So, if your hashes are length 32 (a hex representation of the hash), and contains no $ character (which would indicate there is a hash signature prefix), or the hash is 37 characters long and starts with md5$$ then your hashes are already supported.

Even better: any user successfully authenticating will have their password hash automatically updated to the current preferred scheme. Your users will themselves migrate your database.

Answer 2

In these cases i suggest you take different approach.

1) Create your own authentication backend.

2) In that backend implement the same password validation system, that your php project has.

3) Compare hashed passwords in backend just like django authentication backend does.

4) After successful authentication, set users password with django methods, so, that it would use default django authentication logic.

5) Log user in.