Password string comparison in Django app

Question

It\'s impossible to get passwords of a user in any Django app, by design.

I\'m implementing a change password feature for my Django app, and one of the req

Answer 1

You don't need to store the old password in a session and you shouldn't either. Because the session data get's saved in the session storage and for that brief period when the password is being changed, it's there in plain text format. Theoretically an attacker could use a database event or trigger to capture these plain text password objects. The better approach would be to use django's built in password functions.

check_password(password, encoded) If you’d like to manually authenticate a user by comparing a plain-text password to the hashed password in the database, use the convenience function check_password(). It takes two arguments: the plain-text password to check, and the full value of a user’s password field in the database to check against, and returns True if they match, False otherwise.

In your case you would need to create a custom form, that calls this method as part of it's clean() method. If the above function call returns true, you need to raise a validation error saying the old password is being reused.

Answer 2

Following on from my suggestion under e4c5's answer, it would appear as though there are existing packages such as Django Password Validator that will do this for you so you don't really need to write it yourself.

Essentially, it seems that this works via storing the previously used hashed passwords in a database and then comparing the new hashed password to those currently stored.

See the source code for their validator for more information.