PGCon2017 - 20180510

PGCon 2017
The PostgreSQL Conference

Drew Engelson
Day Talks - Day 2 - 2017-05-26
Room DMS 1110
Start time 16:00
Duration 00:45
ID 1029
Event type Lecture
Track Case Studies
Language used for presentation English

Pgcrypto avast!

A study in Django's password hashers

This talk outlines what happened when I needed to migrate hundreds of thousands of end user logins from a legacy application to a Django application for a client (National Geographic).

The primary challenge was that each user's password was originally created with the Postgres pgcrypto.crypt() function and only the one-way hash is stored, which is unusable by Django which it's own algorithms for hashing and storing passwords.

  • We can't decrypt the hashed passwords for the migration.
  • We can try to crack them... :‑/
  • Oh, and this all needs to be completely transparent to the end user.

How to migrate these users into Django?

We will wander through the wonderful world of pgcrypto, Python password hashing, brute force attacks, and Django's authentication and password hashing internals. We will arrive at a successful solution (or will we?) and the Django package I whipped up and open sourced to handle this.