You might have a point regarding the frequency of bumping the PBKDF iteration setting. Is bumping it 5 times in 13 months really required? On the other hand you might want to consider staying on the LTS releases and avoid issues such as this, and the issue you’re describing is quite niche.
However, I would say that based on your previous posts to this mailing lists around authentication that you are definitely in need of some form of federated login/SSO for your several web properties. That would certainly alleviate this issue and some of the other problems you’ve reported here. Tom > On 3 Sep 2020, at 09:47, אורי <u...@speedy.net> wrote: > > Hi, > > On Thu, Sep 3, 2020 at 11:23 AM Shai Berger <s...@platonix.com > <mailto:s...@platonix.com>> wrote: > > Please be aware that this is a security issue. The passwords are > encrypted as protection for the case that they fall into the hands of > an attacker, but for this protection to be effective, it must stay hard > and costly to brute-force them. The number of iterations is enlarged in > order to keep this cost up with the improvements of available hardware. > If you intend to keep a user's password un-updated for many years, it's > almost as bad as keeping it in plaintext -- in 10-15 years, we'd expect > the number of iterations in current Django to be grossly insufficient. > > I don't intend to keep the settings of now for 10-15 years. But since I > launched Speedy Net in Django 1.11 in production 13 months ago, I upgraded to > 2.0, 2.1, 2.2, 3.0 and now 3.1. These are 5 major version upgrades in 13 > months. I don't see a reason why the number of iterations should have changed > 5 times in 13 months. Even if I would upgrade Django every 8 months, I prefer > to keep the number of iterations and change it every 2-3 years, if this logs > out users. I'm not sure if I'll write a blog post, but you can see our patch > on GitHub: > > https://github.com/speedy-net/speedy-net/blob/master/speedy/core/patches/session_patches.py > > <https://github.com/speedy-net/speedy-net/blob/master/speedy/core/patches/session_patches.py> > > I wish I knew about this issue before and then I would have patched something > like this before, before causing this to change 5 times in production. > > אורי. > > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-developers+unsubscr...@googlegroups.com > <mailto:django-developers+unsubscr...@googlegroups.com>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/CABD5YeFp_9btTbguvBDyUxCaaYcX4VD9thsddp7hdRqVL%2BJnuw%40mail.gmail.com > > <https://groups.google.com/d/msgid/django-developers/CABD5YeFp_9btTbguvBDyUxCaaYcX4VD9thsddp7hdRqVL%2BJnuw%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/C8F40769-AC5B-41FE-8A17-BDACCC39CE2C%40tomforb.es.
