Udit Kumawat
Udit Kumawat

Reputation: 684

password hashing using md5 in mongoengine

I am using mongoengine(MongoDb ORM) in django.I wan to authenticate the user and his password should be stored in hashed value. Plz help me as mongoengine doesn't give any PasswordField() to store password.

Any other options through which I can authenticate the user login .

Upvotes: 0

Views: 868

Answers (1)

Anti-weakpasswords
Anti-weakpasswords

Reputation: 2712

Django has two very useful password hashing algorithms built in.

See docs.djangoproject.com, which states

By default, Django uses the PBKDF2 algorithm with a SHA256 hash

and

Bcrypt is a popular password storage algorithm that’s specifically designed for long-term password storage. It’s not the default used by Django since it requires the use of third-party libraries, but since many people may want to use it Django supports bcrypt with minimal effort.

Either one of these two are excellent if you use a large enough number of iterations/work factor; do not use any of the other options. This is made easy by django per the link above:

The PBKDF2 and bcrypt algorithms use a number of iterations or rounds of hashing. This deliberately slows down attackers, making attacks against hashed passwords harder. However, as computing power increases, the number of iterations needs to be increased. We’ve chosen a reasonable default (and will increase it with each release of Django), but you may wish to tune it up

So, in your settings file for a new application, you could increase the work factor with a new subclass:

from django.contrib.auth.hashers import PBKDF2PasswordHasher

class MyPBKDF2PasswordHasher(PBKDF2PasswordHasher):
    """
    A subclass of PBKDF2PasswordHasher that uses 100 times more iterations.
    """
    iterations = PBKDF2PasswordHasher.iterations * 100

then put your variant in the settings file, while allowing old PBKDF2-HMAC-SHA-256 and BCryptSHA256 hashes to be read:

PASSWORD_HASHERS = [
    'myproject.hashers.MyPBKDF2PasswordHasher',
    'django.contrib.auth.hashers.PBKDF2PasswordHasher',
    'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
    'django.contrib.auth.hashers.BCryptPasswordHasher',
]

And also set some password validation:

AUTH_PASSWORD_VALIDATORS = [
    {
        'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
        'OPTIONS': {
            'min_length': 9,
        }
    },
    {
        'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
    },
]

To validate an entered password (like on a login page) against a stored password:

check_password(password, encoded)

To generate a new password entry (like from a registration page, where they select or change their password):

make_password(password, salt=None, hasher='default')

Upvotes: 1

Related Questions