Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Install argon2 support and set as default algorithm #928

Merged
merged 8 commits into from
Jan 11, 2017
Merged

Install argon2 support and set as default algorithm #928

merged 8 commits into from
Jan 11, 2017

Conversation

amplifi
Copy link
Contributor

@amplifi amplifi commented Nov 11, 2016
edited
Loading

Proposed changes in this pull request

Installs the Argon2 pip package and overrides the Django default hashing algorithms to prioritize Argon2. (Resolves #876)

When should this PR be merged

Merge with PR for Django 1.10.4 upgrade

Risks

Very low; Django continues to support all previous algorithms, and any passwords hashed using the old default (PBKDF2) will be automatically converted to use Argon2 next time the user logs in.

Follow up actions

We should consider comms -- sending an email to current production users prompting them to log in, so that as many passwords as possible will be updated to use Argon2. For the same reason, Cadasta staff with production accounts should log in after this change is released.

@amplifi amplifi added this to the Sprint 11 milestone Nov 11, 2016
@oliverroick oliverroick modified the milestones: Sprint 11, Sprint 12 Dec 12, 2016
@amplifi amplifi assigned oliverroick and unassigned oliverroick Jan 3, 2017
@amplifi amplifi requested a review from oliverroick January 3, 2017 08:46
oliverroick
oliverroick approved these changes Jan 3, 2017
View reviewed changes
Copy link
Member

@oliverroick oliverroick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Most of the changes introduces with this PR originate from #1015, a lot of which are my changes. I would suggest to test this in staging to test functionality and then have someone else look over the code when we have confirmed everything is working.

@amplifi amplifi merged commit 5ce23a5 into master Jan 11, 2017
@amplifi amplifi deleted the security/#876 branch January 11, 2017 15:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@oliverroick oliverroick oliverroick approved these changes

Assignees
No one assigned
Labels
PR: approved priority: high security
Projects
None yet
Milestone
Sprint 12
Development

Successfully merging this pull request may close these issues.
2 participants
@amplifi @oliverroick