Reputation: 8477
storage of password in django and rainbow tables
In the django docs,it says django creates password as a string algo$hash
where algo is pbkdf2 by default and hash is the sha256 hash of the password string .
In some articles, I read that a secure password is created using a random salt which is then stored in the database for each user.This makes it difficult for a malicious user who tries to break the password using rainbow tables.But when I checked the auth_user table for my django project ,I could only find a single string which begins 'pbkdf2_sha256$' for each user.I couldn't find any salt stored.
Does this mean the password stored is vulnerable to attack using raibow table?
Upvotes: 1
Views: 760
Answers (1)
Reputation: 4785
Django documentation explicitly stated that it hashes passwords with a salt here and here:
The password attribute of a User object is a string in this format:
hashtype$salt$hash
That’s hashtype, salt and hash, separated by the dollar-sign character.
Hashtype is either sha1 (default), md5 or crypt – the algorithm used to perform a one-way hash of the password. Salt is a random string used to salt the raw password to create the hash. Note that the crypt method is only supported on platforms that have the standard Python crypt module available.
so there will be 2 dollar signs, and in between is the salt.
Upvotes: 1
Related Questions
- How to store Django hashed password without the User object?
- Django hash integrate with legacy database
- What is the format in which Django passwords are stored in the database?
- Securely store password hash django
- Django password in PHP
- How to more securely store login information for my application?
- How can I store hashed password on database with Django?
- Storing user and password in a database
- Django:How password store in django auth_user table
- Best hashing method before saving password into database table for django