Reputation: 186
Why does unusable password have random string, in Django's User authentication?
When I read django.contrib.auth code, I found this code in django.contrib.auth.hassers.make_password.
UNUSABLE_PASSWORD_PREFIX + get_random_string(UNUSABLE_PASSWORD_SUFFIX_LENGTH)
However, I don't understand why unusable password is not only UNUSABLE_PASSWORD_PREFIX, which is '!'.
There is this code, in django.contrib.auth.hassers.is_password_usable.
if encoded is None or encoded.startswith(UNUSABLE_PASSWORD_PREFIX):
return False
I think random string is meaningless.
Upvotes: 3
Views: 1482
Answers (2)
Reputation: 11248
The unusable password is used to generate a reset token for password reset.
Therefore knowing it's value ! is less secure than a random string.
Source: https://code.djangoproject.com/ticket/20079
Upvotes: 1
Reputation: 53699
The password hash is used to generate a password reset token. By reducing the complexity, it opens up the reset token to a brute-force attack. The attacker has to have the SECRET_KEY for this to work.
To generate the password reset token, the ID of the user, the date in last_login, the password hash and the SECRET_KEY are used[1]. For superusers, it is reasonably likely that the ID is 1 and the last_login date is within a few weeks of when the site came live, i.e. the superuser has never logged in and it's the creation date of the account.
If the SECRET_KEY is known, the ID is pretty much guessable and the password hash is known, an attacker only has to guess the datetime, which is within a few weeks timespan. A resolution of a second is used (the microsecond part of the last_login is set to 0), which leaves around 600K possible values per week. With time and patience, this value can be brute-forced and the attacker can set a new, usable password for the superuser or admin account.
There are quite a few "if"s in this attack, but it is a possible attack vector. The random hash in the unusable password increases the entropy of the password reset token for unusable passwords, and eliminates this kind of attack.
[1] https://github.com/django/django/blob/master/django/contrib/auth/tokens.py#L66
Upvotes: 5
Related Questions
- Django Password Generator
- Creating new user with random password in django
- Why does Django's AuthenticationForm return weird str in error message
- Why isn't my Django User Model's Password Hashed?
- Django password mismatching get attribute
- Django doesn't store password field in User model
- Django Login Incorrect password showing for correct password
- Why is there a difference in format of encrypted passwords in Django
- Why isn't my password being secured when using a custom user model in Django?
- How does django knows what the password is in create_user() function