Skip to main content

A Scrypt-enabled password hasher for Django 1.4

Project description

Django-Scrypt is a Scrypt-enabled password hasher for Django 1.4

Installation

Using source tarballs

  1. Download the source tarball for Django-Scrypt from Pypi

    http://pypi.python.org/pypi/django-scrypt/

  2. Decompress it and make it your working directory:

    $ tar zxvf django-scrypt-0.2.0.tar.gz
    $ cd django-scrypt-0.2.0
  3. Install it into your site-packages (if you install to the system’s site packages you will probably need to be root or you will probably need to use sudo)

    $ python setup.py install

  4. Test your installation

    $ python setup.py test

Using Pip and Pypi

If you are installing to the system-wide site-packages then you will probably need to be root or you will probably need to use sudo.

  1. Use the pip command to install from Pypi

    $ pip install django-scrypt

Basic Usage

To use Scrypt as your default password storage algorithm in Django 1.4, install it and make the following changes. In your Django 1.4 application settings.py file, modify (or add it if it is missing) the PASSWORD_HASHERS tuple to include ScryptPasswordHasher as the first hasher in the tuple. It needs to be at the top.

For example:

PASSWORD_HASHERS = (
  'django_scrypt.hashers.ScryptPasswordHasher',
  'django.contrib.auth.hashers.PBKDF2PasswordHasher',
  'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
  'django.contrib.auth.hashers.SHA1PasswordHasher',
  'django.contrib.auth.hashers.MD5PasswordHasher',
  'django.contrib.auth.hashers.CryptPasswordHasher',
)

You have now changed your app to use Scrypt as the default storage algorithm. As users login to your system they will automatically upgrade to use Scrypt hashes.

Caveat

Hash Format Changes As N Removed

In an attempt to shorten the length of the encoded hash, I removed the N-value and replaced it with an N-exponent value named Nexp. The reason for this is that N must be a power of two {2, 4, 6, … 16384, …etc…} and those digits take up room in a 128 character hash storage space. It makes more sense to me to store the exponent and just make the actual integer on the fly.

N == 16384 == 2 ** 14 therefore Nexp == 14

The bad news is that this introduces a backward incompatible change as of version 0.2.0.

Django Password Field Character Length Limits

By default, Django limits password field lengths to 128 characters. Using the default settings in Django-Scrypt with the Django salting implementation should yield encoded hashes less than 128 characters; however, if you override the ScryptPasswordHasher class variables you might end up overflowing the field.

The solution is to increase the size of the password field using SQL. You should consult your database documentation for the correct commands.

Bugs! Help!!

If you find bugs please report them to the BitBucket issue tracker or send me an email to code@kelvinwong.ca. Any serious security bugs should be reported via email.

https://bitbucket.org/kelvinwong_ca/django-scrypt/issues

Thank-you

Thank-you for taking the time to evaluate this software. I appreciate receiving feedback on your experiences with it and I welcome code contributions and development ideas.

http://www.kelvinwong.ca/coders

Thanks to Dr Colin Percival for his original Scrypt software [2], also to Magnus Hallin for the py-scrypt Python module [3].

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

django-scrypt-0.2.0.tar.gz (6.8 kB view hashes)

Uploaded Source

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page