2

this is the password :

sha1$265b1$5ff32d53cf53bdef243b6f83e33e513514352406
sha1$73f58$b037706983a566e2a2b4bab7ef062c2e84f4a33e

this two string's password all are '123456',

but why they have different string ?

thanks

zjm1126
  • 34,604
  • 53
  • 121
  • 166

3 Answers3

1

Until django 1.3 was for "salt" the raw password:

The password attribute of a User object is a string in this format:

hashtype$salt$hash

That's hashtype, salt and hash, separated by the dollar-sign character.

Hashtype is either sha1 (default), md5 or crypt -- the algorithm used to perform a one-way hash of the password. Salt is a random string used to salt the raw password to create the hash.

But after django 1.4 the "salt" part isn´t recorded in the database and it uses another algorithm by default.

diegueus9
  • 29,351
  • 16
  • 62
  • 74
  • 1
    The bit about django 1.4 not storing the salt part is incorrect. It's true that django 1.4 uses a new algorithm (PBKDF2) by default but there would be no way to verify the password if you didn't store the salt. In addition to the salt, it records the number of iterations, and hashes the key multiple times (10,000 by default) to increase the difficulty of brute force attacks in a way that can easily be scaled as computing power increases. – Vinay Pai Jan 15 '13 at 22:27
  • Following the documentation linked, now the records of the passwords are algorithm$hash without the salt, maybe there is an error in the official docs? https://docs.djangoproject.com/en/1.4/topics/auth/#how-django-stores-passwords – diegueus9 Jan 15 '13 at 23:32
  • 1
    It's a bit misleading, it would be better to refer to that as "token" instead, probably. What it means is the authentication mechanism uses the portion before the first $ to determine which algorithm has been used, and calls the appropriate hasher from among those specified in the PASSWORD_HASHERS setting. It passes the rest of the string (after the first $). The "hash" can consist of several subparts, and most algorithms do use a salt, notable the default one: https://docs.djangoproject.com/en/dev/topics/auth/passwords/ – Vinay Pai Jan 17 '13 at 18:27
0

As stated in the Docs, django uses a salt to hash the password. The salt is the few characters between the 2 $, so technically you can update 1 of those rows with the other value.

For more regarding salt-hashing see This question

Community
  • 1
  • 1
The Scrum Meister
  • 29,681
  • 8
  • 66
  • 64
-2

that decide to your algorithm, some algorithm's results are not same

rexshi
  • 179
  • 1
  • 7