Slightly off-topic, this presents a really nice case for switching to Argon2 via argon2_cffi (supported in Django 1.10+). Its super fast (C-lib) and resistant to GPU/ASIC brute-forcing. So, where as an attacker's 8-GPU hashing machine would probably have something on the order of 24,000X more hashing capability for SHA256 than a typical Django server, I estimate that the same hardware (8 GPUs) would only have about 20-30X more hashing capability than a typical server. (Note, the anecdotal evidence across the internet supporting this is pretty thin).
On Wednesday, January 4, 2017 at 2:13:09 PM UTC-5, Martin Koistinen wrote: > > I think this is a pretty solid guess. Bear in mind this was a direct > install from Python.org. > > The important thing here is, this demonstrates that we cannot just assume > that all Python 3 installs have a "fast" PBKDF2 implementation =/ > > On Wednesday, January 4, 2017 at 11:33:17 AM UTC-5, Tobias McNulty wrote: > >> ... >> > Martin, is it possible your version of Python 3 is not linked against >> OpenSSL and hence is missing the fast version of pbkdf2_hmac? I haven't had >> a chance to try your benchmark yet, but in a quick test I don't see any >> difference between Python 3.5.2 and Python 2.7.12 on a Mac. >> >> Tobias >> > > > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/7a1b926b-d75c-4f45-b3be-d5d8b7b8a7e5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
