18👍
You could use the django.contrib.auth.hashers.MD5PasswordHasher for an initial password. As per Django docs on how Django stores passwords,
By default, Django uses the PBKDF2 algorithm with a SHA256 hash, a
password stretching mechanism recommended by NIST. This should be
sufficient for most users: it’s quite secure, requiring massive
amounts of computing time to break.[…]
Django chooses the an algorithm by consulting the PASSWORD_HASHERS
setting. This is a list of hashing algorithm classes that this Django
installation supports. The first entry in this list (that is,
settings.PASSWORD_HASHERS[0]) will be used [by default] to store passwords, and all
the other entries are valid hashers that can be used to check existing
passwords. […]The default for PASSWORD_HASHERS is:
PASSWORD_HASHERS = ( 'django.contrib.auth.hashers.PBKDF2PasswordHasher', 'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher', 'django.contrib.auth.hashers.BCryptPasswordHasher', 'django.contrib.auth.hashers.SHA1PasswordHasher', 'django.contrib.auth.hashers.MD5PasswordHasher', 'django.contrib.auth.hashers.CryptPasswordHasher' )
Thus you’d want to keep the default as it is now, but use a weaker hasher in the beginning; make sure that the MD5PasswordHasher is present in the list. Then use
make_password(pwd, None, 'md5')
to generate a plain salted MD5 password initially; this will not be too weak provided that the initial password is random enough. As the users change their passwords, their passwords will be encrypted with a stronger algorithm.