Reputation: 684
password hashing using md5 in mongoengine
I am using mongoengine(MongoDb ORM) in django.I wan to authenticate the user and his password should be stored in hashed value. Plz help me as mongoengine doesn't give any PasswordField() to store password.
Any other options through which I can authenticate the user login .
Upvotes: 0
Views: 868
Answers (1)
Reputation: 2712
Django has two very useful password hashing algorithms built in.
See docs.djangoproject.com, which states
By default, Django uses the PBKDF2 algorithm with a SHA256 hash
and
Bcrypt is a popular password storage algorithm that’s specifically designed for long-term password storage. It’s not the default used by Django since it requires the use of third-party libraries, but since many people may want to use it Django supports bcrypt with minimal effort.
Either one of these two are excellent if you use a large enough number of iterations/work factor; do not use any of the other options. This is made easy by django per the link above:
The PBKDF2 and bcrypt algorithms use a number of iterations or rounds of hashing. This deliberately slows down attackers, making attacks against hashed passwords harder. However, as computing power increases, the number of iterations needs to be increased. We’ve chosen a reasonable default (and will increase it with each release of Django), but you may wish to tune it up
So, in your settings file for a new application, you could increase the work factor with a new subclass:
from django.contrib.auth.hashers import PBKDF2PasswordHasher
class MyPBKDF2PasswordHasher(PBKDF2PasswordHasher):
"""
A subclass of PBKDF2PasswordHasher that uses 100 times more iterations.
"""
iterations = PBKDF2PasswordHasher.iterations * 100
then put your variant in the settings file, while allowing old PBKDF2-HMAC-SHA-256 and BCryptSHA256 hashes to be read:
PASSWORD_HASHERS = [
'myproject.hashers.MyPBKDF2PasswordHasher',
'django.contrib.auth.hashers.PBKDF2PasswordHasher',
'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
'django.contrib.auth.hashers.BCryptPasswordHasher',
]
And also set some password validation:
AUTH_PASSWORD_VALIDATORS = [
{
'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
},
{
'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
'OPTIONS': {
'min_length': 9,
}
},
{
'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
},
{
'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
},
]
To validate an entered password (like on a login page) against a stored password:
check_password(password, encoded)
To generate a new password entry (like from a registration page, where they select or change their password):
make_password(password, salt=None, hasher='default')
Upvotes: 1
Related Questions
- How to secure MongoDB with username and password
- Why my hashing password through bcrypt is differnet when it store in database
- How to reset Django admin password?
- Is "double hashing" a password less secure than just hashing it once?
- cannot authenticate hashed password in Flask
- mongoengine and django auth, login