PGCon2017 - 20180510
PGCon 2017
The PostgreSQL Conference
| Speakers | |
|---|---|
|
Drew Engelson |
| Schedule | |
|---|---|
| Day | Talks - Day 2 - 2017-05-26 |
| Room | DMS 1110 |
| Start time | 16:00 |
| Duration | 00:45 |
| Info | |
| ID | 1029 |
| Event type | Lecture |
| Track | Case Studies |
| Language used for presentation | English |
Pgcrypto avast!
A study in Django's password hashers
This talk outlines what happened when I needed to migrate hundreds of thousands of end user logins from a legacy application to a Django application for a client (National Geographic).
The primary challenge was that each user's password was originally created with the Postgres pgcrypto.crypt() function and only the one-way hash is stored, which is unusable by Django which it's own algorithms for hashing and storing passwords.
- We can't decrypt the hashed passwords for the migration.
- We can try to crack them... :‑/
- Oh, and this all needs to be completely transparent to the end user.
How to migrate these users into Django?
We will wander through the wonderful world of pgcrypto, Python password hashing, brute force attacks, and Django's authentication and password hashing internals. We will arrive at a successful solution (or will we?) and the Django package I whipped up and open sourced to handle this.