I am migrating a PHP backend to Django and I don't wanna make users change their passwords. In PHP I'm using Bcrypt, which uses version 2y, while Django uses 2b, making it incompatible.
I've read other solutions where people write a whole new hasher, but that seems too difficult. My solution was to override the check_password() function of my User model:
def check_password(self, raw_password):
alg_prefix = 'bcrypt_php'
if self.password.startswith(alg_prefix):
return bcrypt.checkpw(bytes(raw_password, 'utf-8'), bytes(self.password[len(alg_prefix):], 'utf-8'))
else:
return super().check_password(raw_password)
And to save old passwords adding bcrypt_php in the beginning.
The question is: Is it dangerous to do this? Am I putting my passwords or my system in danger?
