Yes, that's exactly what you do. In Django 1.4 (the latest), they store password...

raverbashing · on June 7, 2012

Kudos to Django because this is very important

Like in bcrypt discussion saying you can tune the amount of work. Sure, but what to do with the existing hashes!

Of course, the user needs to retype their keys, but it's better than keeping old credentials.

(or maybe you save the original credentials with strong PK crypto, together with the hash, then periodically decrypt offline and rehash)

powersurge360 · on June 7, 2012

In regards to "what to do with the existing hashes" bcrypt can detect the original work factor and hash to that. Not sure how you would upgrade that for users, however.

pek · on June 7, 2012

Couldn't you just move from, say, using MD5(password) to bcrypt(MD5(password))? So when it becomes apparent that the old hash is no more secure, start using the combination of the old bad hash (MD5) and the new good hash (bcrypt). This way you can simply run once through the password database, hash each password hash there with the new better hash, and throw away the old hashes. No need to prolong the process until the users log in.

dsingleton · on June 8, 2012

They have some older APIs that depend on MD5(password) being used directly, to compare against auth credentials or to derive other hashes to verify API requests.

Though older APIs they're still used by many older or infrequently updated clients, such as hardware devices with sold with Last.fm integration.

Unfortunately, the longer you've been around the more likely you are to develop dependencies that make it more difficult to upgrade your password hashing.

A new site can do whatever it wants with password hashing, but it becomes harder for older sites with more legacy dependencies to make that kind of change and Last.fm has been around for almost 10 years.

This isn't to say "MD5 is cool, don't worry", but to try and illustrate some of the reasons behind this.

EvilTerran · on June 7, 2012

As hashing functions aren't injective, composing them leads to a reduction of range (ie, a smaller set of possible output values). As such, (bcrypt . MD5) would almost certainly be a weaker hash than bcrypt alone. Might not be enough to make a difference, but I'd consult a cryptologist before betting on that.

pek · on June 7, 2012

Yeah, it would be weaker against a collision attack. But that shouldn't be a concern as the purpose of the password hashing function is to protect against a preimage attack: finding the password given its hash. I can't see how the composition could be more vulnerable to a preimage attack than its parts. (Provided that the inner function's output is evenly distributed.)

soulclap · on June 7, 2012

Great feature. So you alter the password field (extending the length) if needed and when a user signs in it gets auto-updated and Django always tests both/all specified algorithms? Or do you have to add a new database field when moving on? (Sorry for my tl;dr behaviour but while I've got an expert on the line anyway...)

cschmidt · on June 7, 2012

I'm not an expert in any sense, just a Django user. I've never actually looked under the hood, since it just works.

You specify an order of the hash algorithms, putting the one you want first. Switching to bcrypt for me was just a matter of moving it up a few lines in a list.

The password field can probably stay the same length, since it is a hash value anyway. I'm assuming you have a second field that stores the hash algorithm used. When it logs you in, it uses the current algorithm to authenticate you. Then if that technique isn't first on your list, it creates a new, salted hash, and stores both that and the new hash type in the database. Nice and slick.

soulclap · on June 7, 2012

thanks for the insight, much appreciated. never really thought about how to do this before. (screams for a 'website security patterns' book.)