As I understand it, the problem with increasing the number of iterations on the slower hasher is that upgrading Django could effectively result in a DDoS attack after you upgrade Django as users passwords are upgraded.
Some benchmarking suggests that the new algorithm results in a 3x speed up (100,000 iterations done 100 times is ~30 sec. on old Python 2.7's and ~10s with 2.7.8+). An option could be to make the number of iterations dependent on the Python version? On Tuesday, September 22, 2015 at 12:15:46 AM UTC-4, Josh Smeaton wrote: > > Is the concern that 100,000 iterations is too slow on python < 2.7.8 but > is acceptable on versions after that? If so, then we wouldn't be breaking < > 2.7.8, we'd just be reducing the performance profile, right? We could call > out such things in the release notes. > > On Tuesday, 22 September 2015 02:12:35 UTC+10, Donald Stufft wrote: >> >> On September 21, 2015 at 10:55:57 AM, Collin Anderson (cmawe...@gmail.com) >> wrote: >> > Is there an external library for Python < 2.7.8? I know we don't >> officially >> > support the system version of python in RHEL/CentOS and Ubuntu, but I >> bet >> > we could get away with requiring a dependency for those old versions of >> > Python in new versions of Django. >> > >> >> >> >> https://cryptography.io/en/latest/hazmat/primitives/key-derivation-functions/#cryptography.hazmat.primitives.kdf.pbkdf2.PBKDF2HMAC >> >> >> >> ----------------- >> Donald Stufft >> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 >> DCFA >> >> >> -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/f6185ad5-d3ce-44d9-bef4-b8749db24df5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
