[issue42982] Update suggested number of iterations for pbkdf2_hmac()
April King
report at bugs.python.org
Tue Jan 25 10:14:07 EST 2022
April King <april at grayduck.mn> added the comment:
Django probably stores and computes more passwords than every other Python framework combined, and it doesn't provide you any control over the number of iterations. And it hasn't for years. If this were truly a problem, wouldn't their users be complaining about it constantly?
Werkzeug was doing 150,000 iterations as of 0.15.x, released three years ago, and does 260,000 iterations today. Again, no complaints or issues.
In practicality, this is almost never a problem - user logins and password changes are extremely rare events compared to all other activity, and so the computation time is essentially irrelevant outside response time for that individual user. No matter how many users, the systems are scaling such that the computation time of that rare event remains a fraction of overall CPU use.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue42982>
_______________________________________
More information about the Python-bugs-list
mailing list