Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
having hmac required makes supporting legacy passwords w/o hmac impossible
See original GitHub issuei’ve migrated user accounts from an old django app. even though I can set schemes correctly (with the undocumented SECURITY_PASSWORD_SCHEMES) like so:
SECURITY_PASSWORD_HASH = 'sha256_crypt'
SECURITY_PASSWORD_SCHEMES = ['sha256_crypt', 'django_pbkdf2_sha256']
old passwords won’t verify because the function utils.verify_and_update_password first gets the hmac version of the password before verifying through passlib. this seems odd, a key features of passlib is the ability to support multiple encryption schemes and legacy passwords. am I missing something?
Issue Analytics
- State:
- Created 9 years ago
- Reactions:1
- Comments:9 (1 by maintainers)
Top Results From Across the Web
Show HN: Portable Secret – How I store my secrets and ...
I'm a security professional and this looks like a great tool for OP's use case, especially with strong passwords and great password hints....
Read more >Block legacy authentication - Azure Active Directory
Legacy authentication can't prompt users for second factor authentication or other authentication requirements needed to satisfy conditional ...
Read more >How and when do I use HMAC?
An HMAC is a MAC which is based on a hash function. The basic idea is to concatenate the key and the message,...
Read more >Challenge solutions - Pwning OWASP Juice Shop
If you already have solved all but this challenge, you can just restart ... Fill out all required information except the Password and...
Read more >8 Java Secure Socket Extension (JSSE) Reference Guide
A MAC mechanism that is based on cryptographic hash functions is referred to as HMAC. HMAC can be used with any cryptographic hash...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Any update on this?
The old behaviour (from ~2012) can be enabled using
SECURITY_SINGLE_HASH=Truewhich effectively switches off the use of HMAC.