Password hashing schemes are slow on purpose to prevent brute force. Siphash wouldn't make sense because if you're switching for speed you can just use any secure hash function.
crypt by default is much slower than PBKDF2 FWIW. You should tune the work factor/iterations until it's fast enough that it doesn't negatively impact your site but as slow as possible otherwise. The higher the work factor/iterations the harder it is to brute force, but the more negative impact each login has. I would tune bcrypt or PBKDF2 down before I implemented this custom scheme. -- Donald Stufft don...@stufft.io On Tue, Nov 19, 2013, at 09:10 PM, Javier Guerra Giraldez wrote: > On Tue, Nov 19, 2013 at 8:48 PM, Erik van Zijst > <erik.van.zi...@gmail.com> wrote: > > You make a good point. > > > > An obvious fix would seem to be to add the username to the cache key. This > > way users cannot "use" another user's cache entry. > > > right, that would fix it. (i guess, i'm no security expert) > > but still you get only SHA1-level strength, when the whole idea was to > switch to stronger crypto. if in your case SHA1 is enough, you can > simply keep using it. if it's not enough, then you shouldn't be using > it. > > of course, that's easy for me to say; i don't manage a big site like > yours, so the switch to PBKDF2 doesn't cost me a cent. > > i wonder if siphash is strong enough for paswords... > > -- > Javier > > -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-developers+unsubscr...@googlegroups.com. > To post to this group, send email to django-developers@googlegroups.com. > Visit this group at http://groups.google.com/group/django-developers. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/CAFkDaoSRRWFq6zNmYMtSOzPeTuoRQFN7ZbF72f5xeLda%3DQSG%3Dw%40mail.gmail.com. > For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/1384914021.7999.49670181.1381CCF1%40webmail.messagingengine.com. For more options, visit https://groups.google.com/groups/opt_out.
