Python Django Unsalted Md5 Password Hash Format

ive got an user table from an old php application where users have unsalted md5 hashes as password and because im migrating the app to django, im trying to put all users in auth_us

Solution 1:

From what I can see in Django 1.6.1 source code you cannot use MD5PasswordHasher with an empty salt: https://github.com/django/django/blob/1.6.1/django/contrib/auth/hashers.py#L397.

But there is UnsaltedMD5PasswordHasher which might work for you.

EDIT: The answer you mentioned was written 4 years ago when Django 1.2 ruled the market. I've checked its password hashing code and it didn't have any assertions there, that's why MD5 hasher worked with empty salts back then.

Solution 2:

I have two suggestions for your problem.

First, please check PASSWORD_HASHERS in settings.py. Django is able to upgrade passwords from older algorithms, but only if they are available in your configuration. Read more at the django docs.

At least you need the MD5PasswordHasher activated:

PASSWORD_HASHERS = (
    'django.contrib.auth.hashers.PBKDF2PasswordHasher',
    'django.contrib.auth.hashers.MD5PasswordHasher',
)

Second, if you've done that already you may try to simply store the old MD5 passwords without leading md5$$. That's also supported as a fallback. Django will recognize a 32 digit hexadecimal number as MD5 hash. This is the relevant code block from the django source code:

# Ancient versions of Django created plain MD5 passwords and accepted# MD5 passwords with an empty salt.if ((len(encoded) == 32and'$'notin encoded) or
        (len(encoded) == 37and encoded.startswith('md5$$'))):
    algorithm = 'unsalted_md5'

Hope this helps!

Solution 3:

You can customize the authentication process, or even write your custom authentication backend. This topic is covered in official documentation:

https://docs.djangoproject.com/en/1.6/topics/auth/customizing/