Increasing iteration count for the PBKDF2 password hasher

2024-05-23 Thread Shaheed Haque 
Hi,

As happens from time-to-time, I see the 5.1 alpha recently announced has
increased the iteration count for the PBKDF2 password hasher (from 720k to
870k), and the putative release notes for 5.2 mention a further increase
(to 1M).

I assume this iteration count has something to do with the noticeable time
it takes to run User.set_password()? Is there something that can be done to
mitigate any further increase in the execution time of .set_password(), or
am I barking up the wrong tree?

Thanks, Shaheed

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CAHAc2jcETxAtMbHfnD1GQFVgWwR8ABOAy%3DjaRuhRW7mQhnOxeQ%40mail.gmail.com.

Re: Increasing iteration count for the PBKDF2 password hasher

2024-05-23 Thread Mike Dewhirst 

On 23/05/2024 6:12 pm, Shaheed Haque wrote:

Hi,

As happens from time-to-time, I see the 5.1 alpha recently announced 
has increased the iteration count for the PBKDF2 password hasher (from 
720k to 870k), and the putative release notes for 5.2 mention a 
further increase (to 1M).


I assume this iteration count has something to do with the noticeable 
time it takes to run User.set_password()? Is there something that can 
be done to mitigate any further increase in the execution time of 
.set_password(), or am I barking up the wrong tree?


My understanding is the intention is to make brute force attacks more 
expensive for the attacker.


Don't know whether there might be a better way.



Thanks, Shaheed
--
You received this message because you are subscribed to the Google 
Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/CAHAc2jcETxAtMbHfnD1GQFVgWwR8ABOAy%3DjaRuhRW7mQhnOxeQ%40mail.gmail.com 
.



--
We recommend signal.org

Signed email is an absolute defence against phishing. This email has
been signed with my private key. If you import my public key you can
automatically decrypt my signature and be sure it came from me. Your
email software can handle signing.

--
You received this message because you are subscribed to the Google Groups "Django 
users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/9c7c7294-08fd-4a6a-91de-e99ab27d4a61%40dewhirst.com.au.


OpenPGP_signature.asc
Description: OpenPGP digital signature