Hi, On Thu, Sep 3, 2020 at 11:23 AM Shai Berger <s...@platonix.com> wrote:
> > Please be aware that this is a security issue. The passwords are > encrypted as protection for the case that they fall into the hands of > an attacker, but for this protection to be effective, it must stay hard > and costly to brute-force them. The number of iterations is enlarged in > order to keep this cost up with the improvements of available hardware. > If you intend to keep a user's password un-updated for many years, it's > almost as bad as keeping it in plaintext -- in 10-15 years, we'd expect > the number of iterations in current Django to be grossly insufficient. I don't intend to keep the settings of now for 10-15 years. But since I launched Speedy Net in Django 1.11 in production 13 months ago, I upgraded to 2.0, 2.1, 2.2, 3.0 and now 3.1. These are 5 major version upgrades in 13 months. I don't see a reason why the number of iterations should have changed 5 times in 13 months. Even if I would upgrade Django every 8 months, I prefer to keep the number of iterations and change it every 2-3 years, if this logs out users. I'm not sure if I'll write a blog post, but you can see our patch on GitHub: https://github.com/speedy-net/speedy-net/blob/master/speedy/core/patches/session_patches.py I wish I knew about this issue before and then I would have patched something like this before, before causing this to change 5 times in production. אורי. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CABD5YeFp_9btTbguvBDyUxCaaYcX4VD9thsddp7hdRqVL%2BJnuw%40mail.gmail.com.
