Making Django.contrib.auth store plain-text password

Question

I have a Django-based site (not yet launched, so there are no real users) using plain django.contrib.auth, and want to store passwords as plain-text, not salted SHA-1 hashes.

The question is what's the best approach to do this, hopefully, without patching (or monkey-patching) Django source code?

NOTE: I perfectly know this is certainly less secure. Plaintext is required to perform challenge-response auth, like CHAP for PPTP VPN, DIGEST-MD5 for IMAP4 and HTTP Digest for WebDAV-based file storage. So, I'm trading DB-level security with connection-level security.

Of course, I'm considering educating and encouraging users on using X.509 certificates (and not having any passwords), but this is not so easy.

Reversibly encrypting (obfuscating) passwords, and using some sort column-level permissions so the password will be INSERTable/UPDATEable, but not SELECTable by the web user (only accessible for some custom check function, like SELECT * FROM users WHERE 'somesha1hash' = USER_HMAC(id, 'salt')) so the passwords wont be "just there" is a good idea and I'll try to do it. Suggestions on securing plaintext data are warmly welcomed, but what I mostly want to hear is how to hack the way passwords are stored.

Answer 1

Don't do this. It violates basic security principles. Better not have password at all than doing this.

Regarding your updated question: store those external access password encrypted in a seperate table (they may not all be the same, anyway). User user's password to generated salted key for this encryption. Then, wenn she logs in, you app may decrypt and use those keys.

This very hard indeed to get right. Good luck!

Answer 2

Why?

Trying to make a quality framework like Django do the wrong thing, on purpose, may require a certain amount of hair-pulling.

Answer 3

In Django, it's not that hard: you simply have to write an authentication backend, that will authenticate users against password stored in plaintext.

That said, you should never store passwords in plaintext.
The main point is that people tend to use the same password over and over again and therefore, using plaintext in your site you put your users at risks for an attacker to get to their bank account.
Jeff Atwood wrote a nice post, about this topic, You're Probably Storing Passwords Incorrectly; I suggest you reading it, because it will explain issues about plaintext in passwords in a much better way than me.
At least, you should encourage your users to use a different password from their "secure" ones; for instance, you could simply generate new random passwords, even if this approach has its own limitations, too.

Another approach, that could be much more secure: write your authentication backend, that will validate against (for instance) the WebDAV storage. You do not store the passwords anywhere in your system - you simply pass them through. I do not know if it may work in your case (especially if you have to authenticate against several sources) but at least you can give it a try.