Database Table auth_user, how secure is the password field?

[UnicodeTreason]

Hi all,

I'm currently running a Proof of Concept for Nautobot and have noticed it seems to be storing salted and hashed copies of our LDAP credentials in the database.

The documentation is sadly pretty light on this subject.

Can anyone confirm what the password field in auth_user is doing?
And how secure it is?

[smk4664]

Django-ldap-auth is used when authenticating through ldap. If the user is created through ldap, then per the django-ldap-auth docs an unusable password is set.

https://django-auth-ldap.readthedocs.io/en/latest/users.html

Users created by LDAPBackend will have an unusable password set. This will only happen when the user is created, so if you set a valid password in Django, the user will be able to log in through ModelBackend (if configured) even if they are rejected by LDAP. This is not generally recommended, but could be useful as a fail-safe for selected users in case the LDAP server is unavailable.

[UnicodeTreason]

A perfect, my security team will be pleased.

Thank you for the quick response!