I have exported database from Discourse. it does contain password_hash and salt.
I have done my research and found out that Django uses PBKDF2 by default and even Discours use that with hashing algorithm sha256 and number of iterations 64000.
I want to migrate those password so that Django will be able to authenticate a user with the same password.
There's a number of ways you could do this.
Write your own authentication method in the backend - which accepts the same hashing method as Discourse when a user attempts to login. This way the hashed password should match from the user's salt and the password they have entered.
This can be done as follows:
from django.contrib.auth.hashers import PBKDF2PasswordHasher
class MyPBKDF2PasswordHasher(PBKDF2PasswordHasher):
"""
A subclass of PBKDF2PasswordHasher that uses 64000 times more iterations.
"""
iterations = PBKDF2PasswordHasher.iterations * n
iterations = 64000 #Use this for simplicity!!
in hashers.py. Please note - PBKDF2PasswordHasher.iterations * n will have to equal 64000 - I think the number of iterations is currently set to 150000, so probably easier to have iterations = 64000 directly. The iterations is all you're looking to change, and all other behaviour will be inherited from the PBKDF2PasswordHasher Class.
Then, all you will need is:
PASSWORD_HASHERS = [
'application_name.hashers.MyPBKDF2PasswordHasher',
]
in settings.py, where application_name is, yep you guessed it, the name of the application where hashers.py can be found.
However...the following documentation on storage and hashing of passwords may be extremely useful in your search:
https://docs.djangoproject.com/en/2.1/topics/auth/passwords/#auth-password-storage
Related
I'm currently trying to migrate my Flask Users over to a Django Backend.
However, when I'm using passlib to verify the hash, I can't figure out why it won't verify.
Our flask app settings
SECURITY_PASSWORD_HASH = "pbkdf2_sha512"
SECURITY_PASSWORD_SALT = "stackoverflow" # this is an example
An example of a hash I pulled from a database
flask_hash =
"$pbkdf2sha512$12000$ZQyhNEbIOSfk/J/T2vs/Bw$j.yxtixV.DqAcpsY9XTnJZZb3lCkR2fMWmV329Uc7Y/vz5Z0yMshEkYlUsE2Y9xm8TICwYkG55RgAplzZzLl7g"
So I created a custom pbkdf2_sha512 with the the rounds and salt
from passlib.hash import pbkdf2_sha512
rounds = 12000
salt = "stackoverflow".encode() # assume I swapped this out with the right salt
custom_pbkdf2 = pbkdf2_sha512.using(rounds=rounds, salt=salt)
verify_result = custom_pbkdf2.verify(hash=flask_hash, secret=password)
print (verify_result) # false
But if I create a new hash ... it does work
test_hash = custom_pbkdf2.hash('testing-if-this-works')
test_hash_confirm = custom_pbkdf2.verify('testing-if-this-works', hash=test_hash)
Is there something I'm missing? Thank you so much for any help here ... I know the password to this -- it's a dummy account I used for testing.
I was struck in exactly the same situation, luckily found this reddit thread, which had the explanation.
Basically, what you have to do verify the user is:
from flask_security.utils import verify_password
verify_password(<plain text password>, <password hash>)
More details here
if I create a hash using django's django.contrib.auth.hashers.make_password of the same string I get different hash every time. I don't understand how is this legal because as far as I know, hash functions must generate the same hash every time since by definition its a function. What am I missing?
from django.contrib.auth.hashers import make_password
password = "helloworld"
h1 = make_password(password)
h2 = make_password(password)
print h1, h2
h1 = u'pbkdf2_sha256$20000$Tr6NV5MewXYl$X+sezT6WRqBwYmJR/RZmZHLP6/l6ntSaBke0RKU1/v0='
h2 = u'pbkdf2_sha256$20000$05rEmxChtXlI$NdZGfTKH+kqt1viuFng3GmvBp6eJcsstxV4JcDlBGIs='
I suspect that different algorithms are used to hash every time and hence the hash is also different. Am I correct?
You see different results because of the salt. In simple words Django add some random string to the password before hashing to get different values even for same password. This makes rainbaw tables attack are useless. Actually what you see in DB is not plain hash value, it's structure in following format: <algorithm>$<iterations>$<salt>$<hash>
Each time you use make_password, the password is hashed with a different salt. Django stores the salt with the hashed password. You can then use check_password to check the password later.
from django.contrib.auth.hashers import check_password, make_password
password = "helloworld"
h1 = make_password(password)
check_password(password, h1) # returns True
check_password("incorrect", h1) # returns False
Read the docs on how Django stores passwords for more info.
I want to send the email to the user that will contains url+hash
like this bleow
www.mywebsite.com/user/verify/121#$%3h2%^1kj3#$h2kj1h%$3kj%$21h
and save this hash against the user in the Database like this
ID | Email |Hash
1 | youremail#gmail.com |121#$%3h2%^1kj3#$h2kj1h%$3kj%$21h
When the user received the email it should check and compare the hash with it and perform the action as per situation.
My question is simple how to generate a unique hash for each user and how to store them in the Database.
If by "hash", you mean a unique string, you can just use uuid.uuid4 for that purpose.
>>> import uuid
>>> unique_id = str(uuid.uuid4())
>>> print unique_id
d8814205-f11e-46e1-925e-a878fc75cb8d
>>> # replace dashes, if you like
>>> unique_id.replace("-", "")
I've used this for projects where I need to verify a user's email.
P.S.: It's not called a hash, it's called a unique ID. Hashing is something else, where you generate a value from a given string. See this question for more explanation.
Django has a Cryptographic Signing module, which helps produce unique and verifiable signatures for any data you need. If you are trying to do this to verify that the request is done by the appropriate user or not, you can use the library to verify requests, without storing the hash in the database.
I have written a custom hasher for the passwords and it returns a hashed password length of 148. But Django seems to limit the length of the password in the SQL table to 128 by default. How do I change it?
The correct way would be to use a custom user model that overrides the password field:
https://docs.djangoproject.com/en/dev/topics/auth/customizing/#specifying-a-custom-user-model for details.
As an alternative workaround, you can use a third party applicaton called django-primate: https://github.com/aino/django-primate#alternative-password-hashing
I create a user in my view.py using this simple code.
if not errors:
user = User.objects.create_user(username, email, password)
user.save()
Except for the validation, there is nothing that I do to the username and password values before creating the object.
But I find this in the User class in Django API. I don't know how to use the help text. If it is help text what does it print? How do I find the default values of algo, salt and hexdigest?
password = models.CharField(_('password'), max_length=128, help_text=_("Use '[algo]$[salt]$[hexdigest]' or use the change password form."))
"If it is help text what does it print?"
-> it prints exactly this: Use '[algo]$[salt]$[hexdigest]'
when you create a user, it will automatically call make_password(password[, salt, hashers])
which: Creates a hashed password in the format used by this application. It takes one mandatory argument: the password in plain-text. Optionally, you can provide a salt and a hashing algorithm to use, if you don't want to use the defaults (first entry of PASSWORD_HASHERS setting). Currently supported algorithms are: 'pbkdf2_sha256', 'pbkdf2_sha1', 'bcrypt' (see Using bcrypt with Django), 'sha1', 'md5', 'unsalted_md5'
are you facing any problems with this?
create_user will automatically generate password hash and it will create user in the database (thus you don't need that user.save())
See docs on creating users.
The help text is basicly just code for the message that shows up in the django admin, when editing a User object. It's meant to explain to someone looking at the edit form, why the password field has something like sha1$12345$1234567890abcdef1234567890abcdef12345678 instead of the password that was set for that user. The reason is, of course that the password is hashed for security, and that representation holds all the information required to verify a user-typed password later.
The admin user edit form has a special page for editing passwords. If you want to edit the users password in your code use the set_password method of the User object, the check_password method is for verifying a supplied password.
The documentation for make_password has more information about the algorithms Django uses and can use. The default for Django <1.3 was sha1, Django 1.4 changed the default to PBKDF2. The default value for salt is a random string (it's there so that two identical passwords don't look the same in the database). Hexdigest is the value of the password string and the salt string hashed with the hashing algorithm. You can read the details in the code on github.