Someone on Reddit pointed out that our url obfuscation method for django-urlcrypt was rather simplistic. We already kind of new this, and that if someone was able to figure out the obfuscation key then they’d be able to decode the urls to get someone’s hashed password. I don’t think that’s the end of the world because the password is still sha1 hashed, but it’s certainly not ideal.
So with 0.1.4 Chris added an option to use RSA to encrypt the url tokens, and we’re not including the hashed passwords as info that we’re encrypting. From the end user’s perspective the only difference is that if the user changes their password, the old links will still be valid.
If you want to use RSA, which is recommended, just add
URLCRYPT_PRIVATE_KEY_PATH = '/path/to/private_key'
in your settings.