Upgrade to argon password hasher.

The Argon2 password hasher is the currently recommended password hasher for Django. Fixes #3362.
2017-01-21 00:42:33 +05:30 · 2017-01-21 00:42:33 +05:30 · 483a351d44
parent 5efb072e63
commit 483a351d44
3 changed files with 9 additions and 1 deletions
--- a/requirements/common.txt
+++ b/requirements/common.txt
@ -178,3 +178,6 @@ pycodestyle==2.2.0
 # Needed for link preview
 beautifulsoup4==4.5.3
 git+https://github.com/rafaelmartins/pyoembed.git@eb9901917c2a44b49e2887c077ead84a722c50dc#egg=pyoembed
+
+# Needed for password hashing
+argon2-cffi==16.3.0
--- a/version.py
+++ b/version.py
@ -1,2 +1,2 @@
 ZULIP_VERSION = "1.5.1+git"
-PROVISION_VERSION = '4.5'
+PROVISION_VERSION = '4.6'
--- a/zproject/settings.py
+++ b/zproject/settings.py
@ -488,6 +488,11 @@ if DEVELOPMENT:
    # Also we auto-generate passwords for the default users which you
    # can query using ./manage.py print_initial_password
    INITIAL_PASSWORD_SALT = get_secret("initial_password_salt")
+else:
+    # For production, use the best password hashing algorithm: Argon2
+    # Zulip was originally on PBKDF2 so we need it for compatibility
+    PASSWORD_HASHERS = ('django.contrib.auth.hashers.Argon2PasswordHasher',
+                        'django.contrib.auth.hashers.PBKDF2PasswordHasher')

 ########################################################################
 # API/BOT SETTINGS