The use of SHA-1 in generate_password_hash is not vulnerable, as it is only used as an intermediate, iterated step in the PBKDF2 hash. See the discussion in chat.
when you're chaining zillions of hashes as in PBKDF2 the risk is indistinguishable from someone breaking a strong password by pure chance.
There was further discussion on the cryptography-dev mailing list.
You're correct that HMAC's security is still fine when used with SHA-1,
HMAC-MD5 is even secure believe it or not.
generate_password_hash takes a method argument to customize how the hash is generated. The default is pbkdf2:sha1. Pass a different derivation method for PBKDF2.
generate_password_hash(secret, method='pbkdf2:sha512')
You can also change the number of iterations from the default of 150,000 to a higher number, at the cost of a slower hash speed. pbkdf2:sha1:200000.
You're probably okay with PBKDF2, as long as the hash and iterations are tuned well. Alternatively, use Passlib, which supports more hash methods than Werkzeug. See Passlib's recommended hashes for discussion on which hashes to use. This example shows how to use bcrypt with Passlib.
pip install passlib bcrypt
from passlib.context import CryptContext
crypt_context = CryptContext(schemes=['bcrypt_sha256'])
crypt_context.hash(secret)
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
