why is the output of make_password different than expected?
Question:
Sorry if this is a dumb question, but I’m new to django here. I’m creating a signup flow, one that needs the users email id and password to create the user. I’m trying to hash and salt the password, before saving the salted password in the db, along with the email.
I’m using django’s default make_password(password=password, salt=get_random_string(length=32)) to hash and salt the password. But the output I get is like "!KxPs6lAiW1Im2iuBbuK1lm6dqQz5h08gPSIWlEUr" instead of being something like "algorithm$iterations$salt$hash". Here’s the code:
salt = get_random_string(length=32)
print(salt)
salted_pwd = make_password(password=password, salt=salt)
print("salted", salted_pwd)
Why is this happening and what am I doing wrong here?
Answers:
Likely your password is None, as is specified in the documentation [Django-doc]:
If the password argument is None, an unusable password is returned (one that will never be accepted by check_password()).
This is not the same as an empty password: an unusable password can not be used to login in. Sometimes this means the user can log in through other means however, like an oauth backend, etc. So a user with an unusable password is not the same as an inactive user. If you decide to only log in through OAuth/LDAP/…, then all your users can have unusable passwords.
Sorry if this is a dumb question, but I’m new to django here. I’m creating a signup flow, one that needs the users email id and password to create the user. I’m trying to hash and salt the password, before saving the salted password in the db, along with the email.
I’m using django’s default make_password(password=password, salt=get_random_string(length=32)) to hash and salt the password. But the output I get is like "!KxPs6lAiW1Im2iuBbuK1lm6dqQz5h08gPSIWlEUr" instead of being something like "algorithm$iterations$salt$hash". Here’s the code:
salt = get_random_string(length=32)
print(salt)
salted_pwd = make_password(password=password, salt=salt)
print("salted", salted_pwd)
Why is this happening and what am I doing wrong here?
Likely your password is None, as is specified in the documentation [Django-doc]:
If the password argument is None, an unusable password is returned (one that will never be accepted by
check_password()).
This is not the same as an empty password: an unusable password can not be used to login in. Sometimes this means the user can log in through other means however, like an oauth backend, etc. So a user with an unusable password is not the same as an inactive user. If you decide to only log in through OAuth/LDAP/…, then all your users can have unusable passwords.