The latest guidance on increasing the number of PBKDF2 iterations for each release of Django was written by Alex in July 2014:
For each release... "Increase the default PBKDF2 iterations in django.contrib.auth.hashers.PBKDF2PasswordHasher by about 20% (pick a round number)." He noted in that commit message, "The rate at which we've increased this has not been keeping up with hardware (and software) improvements, and we're now considerably behind where we should be. The delta between our performance and an optimized implementation's performance prevents us from improving that further, but hopefully once Python 2.7.8 and 3.4+ get into more hands we can more aggressively increase this number." https://github.com/django/django/commit/6732566967888f2c12efee1146940c85c0154e60 Upon seeing a proposed 25% increase for 1.10 (to bring the iteration count to 30,000), Claude and Aymeric questioned this: Aymeric: "I don't believe single-threaded execution gets 25% faster every 8 months with modern CPUs. Should be have a guideline about the duration of one call to the hasher on some reference platform? Claude: "Same question for me. I wouldn't blindly apply that 25% increase each time. It's good that we question that number at each release, but let's be smart enough to evaluate if the increase is justified or not." -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/a13898dc-5f34-4d3a-83f4-88dff82bdfb8%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
