Migrate passwords from Drupal 7 to Django

I don't know Drupal very well, but I suppose that the passwords are stored hashed. If that's the case, you'll have to copy the passwords (I mean, copy them unchanged) and you'll have to change the way Django hashes its passwords, using the exactly same way of Drupal, with the same Security Salt.

I really don't know how to do that, but the logic for passwords is contained in the User object. For example. the User.set_password() function (described here) uses the make_password function.

I think with a little research you'll find the way to change it, but the important thing is, remember that the functions must be equals! ie:

drupal_hash(x) == django_hash(x) for every x in the allowed passwords set.

EDIT:

Taking a deeper look django get the has function with the get_hasher function. Now in the 1.4 version there's a way to specify how Django will select that function. Take a look at this: https://docs.djangoproject.com/en/dev/topics/auth/#how-django-stores-passwords

Finally, in order to create your own function, you can take a look at how it's done on the MD5PasswordHasher. It seems really simple. You can use the hashlib python library to generate sha-512 algorithms.

Changing the encode method would require somthing similar to:

def encode(self, password, salt):    assert password    assert salt and '$' not in salt    hash = hashlib.sha512(salt + password).hexdigest()    return "%s$%s$%s" % (self.algorithm, salt, hash)

Thank you, David Robinson, for your code. That made my day! It seems to have a flaw, though: If Drupal decided to not use 'C' but 'D' for the number of iterations, it fails. I fixed the class definition slightly:

class DrupalPasswordHasher(BasePasswordHasher):    algorithm = "S"    iter_code = 'C'    salt_length = 8    def encode(self, password, salt, iter_code=None):        """The Drupal 7 method of encoding passwords"""        if iter_code == None:            iterations = 2 ** _ITOA64.index(self.iter_code)        else:            iterations = 2 ** _ITOA64.index(iter_code)        hash = hashlib.sha512(salt + password).digest()        for i in range(iterations):            hash = hashlib.sha512(hash + password).digest()        l = len(hash)        output = ''        i = 0        while i < l:            value = ord(hash[i])            i = i + 1            output += _ITOA64[value & 0x3f]            if i < l:                value |= ord(hash[i]) << 8            output += _ITOA64[(value >> 6) & 0x3f]            if i >= l:                break            i += 1            if i < l:                value |= ord(hash[i]) << 16            output += _ITOA64[(value >> 12) & 0x3f]            if i >= l:                break            i += 1            output += _ITOA64[(value >> 18) & 0x3f]        longhashed = "%s$%s%s%s" % (self.algorithm, iter_code,                                    salt, output)        return longhashed[:54]    def verify(self, password, encoded):        hash = encoded.split("$")[1]        iter_code = hash[0]        salt = hash[1:1 + self.salt_length]        return encoded == self.encode(password, salt, iter_code)

You should be able to implement this by creating your own subclass of BasePasswordHasher, and adding it to your PASSWORD_HASHERS setting.

Python's hashlib implements sha512.

The page David linked to in the question explains how the number of iterations (16385 for Drupal 7) is encoded in the hash, but it's not clear to me how to get the salt.

Edit: In the comment to @santiago's answer, David says the "the salt is the 5th character through the 12th in the stored Drupal string".