"Peter J. Holzer" <hjp-pgsql@hjp.at> writes: > The web framework Django will automatically and transparently rehash any > password with the currently preferred algorithm if it isn't stored that > way already.
Really? That implies that the framework has access to the original cleartext password, which is a security fail already.
It happens upon user login. If the user's password is hashed with an old algorithm, it is re-hashed during login when the Django application running on the Web server has the password sent by the user: