Can a simple MD5 hash converted to a django password?

2
votes

I have a legacy users database which I would like to integrate into a new Django project.

The users passwords are saved in the old database with a plain and simple MD5 encryption(PHP md5() function), without any salting whatsoever.

Overriding the check_password and set_password of django.contrib.auth is not an option, since I already have new users active on the new Django project.

Looked into passlib, but unfortunately it doesn't do what is needed to be done on this specific project.

So basically, my only option is to convert the hashes somehow into the Django salted format, or implement a custom check_password method, that will determine if the password is plain MD5 or a django password(possibly even by a parameter in my Custom user model, something like legacy=True boolean flag).

Any help is much appreciated.

2
pythondjangoencryptioncryptographypassword-encryption
"convert the hashes somehow into the Django salted format" - that should be impossible to do. The second option sounds right.amsh
I know that MD5 is considered a one-way encryption, but maybe someone knows of a very good rainbow table :DOleg Belousov
And it could actually work, except I am not too enthusiastic about making such a manipulation to django.contrib.authOleg Belousov
@OlegTikhonov I know you got the correct answer from Martijn, but for interest only there's a very good md5 rainbow table called Google. Seriously, try it with some of your hashes.Duncan

2 Answers

7
votes

The Django contrib.auth.hashers module already supports plain, unsalted MD5 passwords:

# Ancient versions of Django created plain MD5 passwords and accepted
# MD5 passwords with an empty salt.
if ((len(encoded) == 32 and '$' not in encoded) or
        (len(encoded) == 37 and encoded.startswith('md5$$'))):
    algorithm = 'unsalted_md5'

So, if your hashes are length 32 (a hex representation of the hash), and contains no $ character (which would indicate there is a hash signature prefix), or the hash is 37 characters long and starts with md5$$ then your hashes are already supported.

Even better: any user successfully authenticating will have their password hash automatically updated to the current preferred scheme. Your users will themselves migrate your database.

1
votes

In these cases i suggest you take different approach.

1) Create your own authentication backend.

2) In that backend implement the same password validation system, that your php project has.

3) Compare hashed passwords in backend just like django authentication backend does.

4) After successful authentication, set users password with django methods, so, that it would use default django authentication logic.

5) Log user in.