|
@@ -224,8 +224,8 @@ However, Django can only upgrade passwords that use algorithms mentioned in
|
|
|
:setting:`PASSWORD_HASHERS`, so as you upgrade to new systems you should make
|
|
:setting:`PASSWORD_HASHERS`, so as you upgrade to new systems you should make
|
|
|
sure never to *remove* entries from this list. If you do, users using
|
|
sure never to *remove* entries from this list. If you do, users using
|
|
|
unmentioned algorithms won't be able to upgrade. Hashed passwords will be
|
|
unmentioned algorithms won't be able to upgrade. Hashed passwords will be
|
|
|
-updated when increasing (or decreasing) the number of PBKDF2 iterations or
|
|
|
|
|
-bcrypt rounds.
|
|
|
|
|
|
|
+updated when increasing (or decreasing) the number of PBKDF2 iterations, bcrypt
|
|
|
|
|
+rounds, or argon2 attributes.
|
|
|
|
|
|
|
|
Be aware that if all the passwords in your database aren't encoded in the
|
|
Be aware that if all the passwords in your database aren't encoded in the
|
|
|
default hasher's algorithm, you may be vulnerable to a user enumeration timing
|
|
default hasher's algorithm, you may be vulnerable to a user enumeration timing
|
Roy Zheng