[Solved]-Django make_password too slow for creating large list of users programatically


You could use the django.contrib.auth.hashers.MD5PasswordHasher for an initial password. As per Django docs on how Django stores passwords,

By default, Django uses the PBKDF2 algorithm with a SHA256 hash, a
password stretching mechanism recommended by NIST. This should be
sufficient for most users: it’s quite secure, requiring massive
amounts of computing time to break.


Django chooses the an algorithm by consulting the PASSWORD_HASHERS
setting. This is a list of hashing algorithm classes that this Django
installation supports. The first entry in this list (that is,
settings.PASSWORD_HASHERS[0]) will be used [by default] to store passwords, and all
the other entries are valid hashers that can be used to check existing

The default for PASSWORD_HASHERS is:


Thus you’d want to keep the default as it is now, but use a weaker hasher in the beginning; make sure that the MD5PasswordHasher is present in the list. Then use

make_password(pwd, None, 'md5')

to generate a plain salted MD5 password initially; this will not be too weak provided that the initial password is random enough. As the users change their passwords, their passwords will be encrypted with a stronger algorithm.

Leave a comment