> That said, it is pretty incredible that beginners can (still) install
Django just about anywhere they have Python without compiling anything at
all.
I think this comment perfectly summarises my initial resistance to forcing
this change.
I think adding argon2_cffi to extra_requires could be a
On Thu, Jan 5, 2017 at 10:58 AM, Martin Koistinen
wrote:
> Slightly off-topic, this presents a really nice case for switching to
> Argon2 via argon2_cffi (supported in Django 1.10+). Its super fast (C-lib)
> and resistant to GPU/ASIC brute-forcing. So, where as an attacker's 8-GPU
> hashing machi
I'm not sure the DoS concern is really something that can be addressed
here. Regardless of the number of iterations we choose, POSTing to the
login form will always be a target, unless it's appropriately protected
(i.e., with some combination of rate limiting, recaptcha, and/or something
at the net
I agree that reading the whole document gave some hints about the incoming
troubles, but I guess many people (like me), on first pass, just thought
"OK that's all I wanted to hear" and went by. Plus, it's a little like
saying "this dogs doesn't bite", and then later "if the dogs wants to bite
y
I agree that reading the whole document gave some hints about the incoming
troubles, but I guess many people (like me), on first pass, just thought
"OK that's all I wanted to hear" and went by. Plus, it's a little like
saying "this dogs doesn't bite", and then later "if the dogs wants to bite
you,
I'd find this really helpful right now.
Solution 1, overriding the default in a settings file is the easiest
solution to understand and the fastest to set up, against 2 and 3
standalone.
Solution 2 comes for free with Solution 1 - a user can read from
environment variables via settings files i
I'm not sure why you think that would be a better way? Assuming you are
already using TLS correctly (2048 bit keys, TLS v1.2, proper cipher suites,
forward secrecy, etc. etc.) a simple way to achieve much higher security is
to support two factor authentication.
There are a number of systems fo
Hi,
yes we'd very much like to have 2fa in Django. At the minimum we'd like to
support TOTP and U2F. The idea on why exactly those two is relatively
simple: They either cost nothing or are low cost and the two are so
different that if they both work, most other authentication flows will
probab
Hello,
After reading the recent thread on authentification in django, I
wondered about the chance of getting a 2-step auth mechanism in
django.contrib.
Time based one time password, or TOTP, is now part of the RFC 6238.
For those who don't know it, it use a shared secret and current time
to produ
