We are creating a user login and registration system and have decided to bypass Django’s auth (for a few reasons, which is outside the scope of this question).
We still need encryption for our passwords and would still like to use that implemented by auth (pbkdf2_sha256, I believe). We could roll our own but would rather use Django’s if we can (again, without using the auth package).
Looking at our Django install (we have 1.4.1, the latest), we found the auth folder (and a file called hashers.py) but, being new to python, aren’t really sure where to go from here for encrypting our passwords.
thanks!
EDIT:
Based on the comments and answer received, I’ve decided to use the built-in methods and tables.
If you have a look at the source of django’s
set_password, you can see that it calls themake_passwordfunction, which is probably what you are looking for.You could then use django’s
check_passwordto verify passwords.This does add a dependency on
django.contrib.auth, as these functions are defined indjango.contrib.auth.hashers, but that’s standard in Django, so I don’t think it’s an issue.Furthermore,
django.contrib.auth.hashershas no dependency on anything fromdjango.contrib.auth.I can however only support the advice that was given to you in comments that you should probably be using the default django auth package – especially given that we’re talking security critical parts here.
By the way, the algorithm used to hash passwords is actually controlled by the the
PASSWORD_HASHERSsetting.