We already committed a fix for pbkdf2, the DOS vector no longer exists (at least not in this form): https://github.com/django/django/commit/68540fe4df44492571bc610a0a043d3d02b3d320
On Thursday, October 3, 2013 9:56:14 AM UTC+2, Ram Rachum wrote: > > Hi everybody, > > I've submitted the patch, and corrected it, and it's been sitting on the > issue tracker for 2 weeks without anyone commenting. Does anyone care to > discuss this? I want to have this merged in, or discuss any problems in > merging it in. > > > On Sun, Sep 15, 2013 at 11:27 PM, Ram Rachum <ram.r...@gmail.com<javascript:> > > wrote: > >> Submitted patch: >> >> https://code.djangoproject.com/ticket/21105#comment:1 >> >> On Sunday, September 15, 2013 10:09:55 PM UTC+3, Donald Stufft wrote: >> >>> >>> On Sep 15, 2013, at 2:59 PM, Florian Apolloner <f.apo...@gmail.com> >>> wrote: >>> >>> Hi Ram, >>> >>> On Sunday, September 15, 2013 12:34:03 PM UTC+2, Ram Rachum wrote: >>>> >>>> Florian, I'm not sure that you read my message carefully enough. I'm *not >>>> *proposing to reduce the time that PBKDF2 takes to hash. >>>> >>> >>> By replacing the password with a hash before running it through PBKDF2 >>> you are reducing that time for every password longer than the hash… And >>> given the way PBKDF2 works you'll reduce it by quite a bit (note that all >>> of this only applies to passwords longer than the hash, so it's probably >>> pretty academical). Either way, we'd at least need a new hasher class since >>> it would be backwards incompatible. Independent of that we'd have to >>> evaluate if pre-hashing the password could make PBKDF2 less secure >>> (probably not to likely, but who knows). >>> >>> >>> According to Thomas Porin in the context of bcrypt pre-hashing the >>> password is fine (and we already do this in Django 1.6). I see no reason >>> the same wouldn't hold true for PBKDF2. >>> >>> ----------------- >>> Donald Stufft >>> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 >>> DCFA >>> >>> -- >> You received this message because you are subscribed to a topic in the >> Google Groups "Django developers" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/django-developers/iuSE5Y4R3hg/unsubscribe >> . >> To unsubscribe from this group and all its topics, send an email to >> django-develop...@googlegroups.com <javascript:>. >> To post to this group, send email to >> django-d...@googlegroups.com<javascript:> >> . >> Visit this group at http://groups.google.com/group/django-developers. >> For more options, visit https://groups.google.com/groups/opt_out. >> > > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/48f1d111-e8e0-4c16-bec3-1af1cd1aa1f9%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
