diff --git a/project_name/settings/base.py b/project_name/settings/base.py index 78108d1..9008925 100644 --- a/project_name/settings/base.py +++ b/project_name/settings/base.py @@ -182,7 +182,7 @@ # If using Celery, tell it to obey our logging configuration. CELERYD_HIJACK_ROOT_LOGGER = False -# https://docs.djangoproject.com/en/1.9/topics/auth/passwords/#password-validation +# https://docs.djangoproject.com/en/{{ docs_version }}/topics/auth/passwords/#password-validation AUTH_PASSWORD_VALIDATORS = [ { 'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator', @@ -205,3 +205,12 @@ SECURE_BROWSER_XSS_FILTER = True CSRF_COOKIE_HTTPONLY = True X_FRAME_OPTIONS = 'DENY' + +# Use the argon2 password hasher (but maintain compatibility with older hashers). See: +# https://docs.djangoproject.com/en/{{ docs_version }}/topics/auth/passwords/#using-argon2-with-django +PASSWORD_HASHERS = [ + 'django.contrib.auth.hashers.Argon2PasswordHasher', + 'django.contrib.auth.hashers.PBKDF2PasswordHasher', + 'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher', + 'django.contrib.auth.hashers.BCryptSHA256PasswordHasher', +] diff --git a/requirements/base.txt b/requirements/base.txt index e353aa8..3027ed6 100644 --- a/requirements/base.txt +++ b/requirements/base.txt @@ -2,9 +2,9 @@ psycopg2==2.7.4 Pillow==5.0.0 # The comment on the next line tells requests.io to warn us if there's a newer # version of Django within the given range, but not for versions outside that -# range. So if 1.11.12 gets released, we get warned. If 2.0.1 gets released, +# range. So if 1.11.21 gets released, we get warned. If 2.0.1 gets released, # we don't. -Django==1.11.11 # rq.filter: >=1.11.11,<2.0 +Django[argon2]==1.11.20 # rq.filter: >=1.11.20,<2.0 six==1.11.0 BeautifulSoup4==4.6.0 diff --git a/requirements/dev.txt b/requirements/dev.txt index 0f0d3d1..87c0809 100644 --- a/requirements/dev.txt +++ b/requirements/dev.txt @@ -11,7 +11,7 @@ pep8==1.7.1 mccabe==0.6.1 # For translation -transifex-client==0.13.1 +transifex-client==0.13.6 requires.io