Unfortunately here is where we hit an asymmetry: single threaded performance of PBKDF2 _as realized in our pure Python implementation_ indeed does not improve by 25% every 8 months.
Unfortunately 24k iterations is behind where we'd want to be (~100k iterations, or a factor of 4, last I checked). The only way to reconcile this is for more users to get Python 2.7.8 and 3.4+, where there's a faster implementation of PBKDF2, or to entirely switch to alternate algorithms such as bcrypt. Alex On Sun, Sep 20, 2015 at 7:20 PM, Tim Graham <timogra...@gmail.com> wrote: > The latest guidance on increasing the number of PBKDF2 iterations for each > release of Django was written by Alex in July 2014: > > For each release... "Increase the default PBKDF2 iterations in > django.contrib.auth.hashers.PBKDF2PasswordHasher by about 20% (pick a > round number)." > > He noted in that commit message, "The rate at which we've increased this > has not been keeping up with hardware (and software) improvements, and > we're now considerably behind where we should be. The delta between our > performance and an optimized implementation's performance prevents us from > improving that further, but hopefully once Python 2.7.8 and 3.4+ get into > more hands we can more aggressively increase this number." > > > https://github.com/django/django/commit/6732566967888f2c12efee1146940c85c0154e60 > > Upon seeing a proposed 25% increase for 1.10 (to bring the iteration count > to 30,000), Claude and Aymeric questioned this: > > Aymeric: "I don't believe single-threaded execution gets 25% faster every > 8 months with modern CPUs. Should be have a guideline about the duration of > one call to the hasher on some reference platform? > Claude: "Same question for me. I wouldn't blindly apply that 25% increase > each time. It's good that we question that number at each release, but > let's be smart enough to evaluate if the increase is justified or not." > > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-developers+unsubscr...@googlegroups.com. > To post to this group, send email to django-developers@googlegroups.com. > Visit this group at http://groups.google.com/group/django-developers. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/a13898dc-5f34-4d3a-83f4-88dff82bdfb8%40googlegroups.com > <https://groups.google.com/d/msgid/django-developers/a13898dc-5f34-4d3a-83f4-88dff82bdfb8%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) "The people's good is the highest law." -- Cicero GPG Key fingerprint: 125F 5C67 DFE9 4084 -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAFRnB2ULkZ7qrPbOwc9OGQBdiC0B1Jjv0UExRSoWR-ohOE91GA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
