Password hashing. Because you’re not storing clear text passwords, it can be tricky to upgrade later if you’ve chosen something bad like md5. You either have to force your entire user base to reset, or you do an over-time migration when people login, which will always leave some not upgraded.
The algorithm comes first, then the number of iterations, then finally the hash value.
This makes it possible to increase iterations or even switch algorithms upgrade and re-hash existing passwords automatically later on when users sign in. Django handles this for you.
Another good reason to use a mature, extensively tested mechanism for authentication rather than rolling your own from scratch.
There's a third pattern forward, which is that you rehash the entire password database with a more secure (specifically, slower) hash plus new, secret salt.
This also means you have a chance to crack any improper salt/secret storage, such as provisioning into memory only.
You will still need to do a password upgrade on login, but you at least have now made it a requirement that an attacker not only grab your database, but also a memory snapshot or disk snapshot.
We switched from a hash to bcrypt five+ years ago on a rolling migration. Just a month ago I received final go ahead to clear out legacy passwords and require a password reset if someone does try to get in. My point is that there are office politics at work here even.
