mirror of
https://github.com/freedombox/FreedomBox.git
synced 2026-01-21 07:55:00 +00:00
17a83dee60
- Django 3.2 has a argon2 password hashing complexity unsuitable for single board computers. Choose parameters suitable for Olimex Lime2 boards. Tests: - In a browser, login to a user without these changes. Notice the hash parameters in sqlite3 auth_user table. Login with the changes. Notice that the hash has been updated with latest has parameters. - Login in Django 2.2 and Django 3.2. Login succeeds and hash parameters are updated. - As measured by the browser. Notice that change in login request time with and without these changes Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org> Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
35 lines
1.0 KiB
Python
35 lines
1.0 KiB
Python
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
"""
|
|
Custom password hashers suitable for home servers.
|
|
"""
|
|
|
|
from django.contrib.auth.hashers import Argon2PasswordHasher
|
|
|
|
|
|
class Argon2PasswordHasherLowMemory(Argon2PasswordHasher):
|
|
"""Argon2 password hasher that uses less CPU and RAM than Django's default.
|
|
|
|
Derive from and override the default complexity parameters for Django. In
|
|
Django 2.2, the defaults are time: 2, memory: 512 and parallelism: 2. In
|
|
Django 3.2, the defaults are time: 2, memory: 102400, parallelism: 8. This
|
|
takes more than 3 seconds per verification on a Lime2 board.
|
|
|
|
On a Pioneer Edition, Olimex Lime2 board, the selected parameters result in
|
|
about 200ms for password verification:
|
|
|
|
$ python3 -m argon2 -p 2 -m 4096
|
|
Running Argon2id 100 times with:
|
|
hash_len: 16 bytes
|
|
memory_cost: 4096 KiB
|
|
parallelism: 2 threads
|
|
time_cost: 2 iterations
|
|
|
|
Measuring...
|
|
|
|
2.17e+02ms per password verification
|
|
|
|
"""
|
|
time_cost = 2 # Iterations
|
|
memory_cost = 4096 # KiB
|
|
parallelism = 2 # Threads
|