After upgrading from Django 1.2.7 to Django 1.4.3, we had a problem where users were unable to log in.
This was due to an upgrade in the crypto algorithms used to store passwords.
When a user attempts to log in, the authentication process checks the "password" field in the User table.
The password field contains 3 components: algorithm$salt$hash
The algorithm is used to determine which crypto to use. The salt is a randomly generated salt upon setting of password, which in this case is an empty string "".
For now, you can temporarily fix this error by adding a new file "working_unsalted\hasher.py".
01.from django.contrib.auth.hashers import UnsaltedMD5PasswordHasher02.from django.utils.crypto import constant_time_compare03. 04.class WorkingUnsaltedMD5PasswordHasher(UnsaltedMD5PasswordHasher):05. """06. The default UnsaltedMD5PasswordHasher uses constant_time_compare(), but passes it the wrong values.07. """08. algorithm = "working_unsalted_md5"09. 10. def verify(self, password, encoded):11. encoded_2 = self.encode(password, '')12. return constant_time_compare(encoded[22:], encoded_2)In your settings file, be sure to define the new hasher.
01.PASSWORD_HASHERS = (02. 'django.contrib.auth.hashers.BCryptPasswordHasher',03. 'django.contrib.auth.hashers.PBKDF2PasswordHasher',04. 'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',05. 'django.contrib.auth.hashers.SHA1PasswordHasher',06. 'django.contrib.auth.hashers.UnsaltedMD5PasswordHasher',07. 'django.contrib.auth.hashers.MD5PasswordHasher',08. 'django.contrib.auth.hashers.CryptPasswordHasher',09. 10. 'working_unsalted.hashers.WorkingUnsaltedMD5PasswordHasher',11.)Lastly, change the algorithm in the database by changing auth_user.password values from "md5$..." to "working_unsalted_md5$...". When the user tries to log in, the new hasher will take effect.
I've made a ticket and pull request for this issue, so hopefully it'll be fixed in Django 1.4.4.
For now, enjoy your copy-pasta fix.
