Hello cryptography, Over at the Flask repos, we've had a number of requests to use SHA-256 instead of SHA-1 in a couple places. Werkzeug defaults to SHA-1 as part of PBKDF2 to generate password hashes. ItsDangerous defaults to SHA-1 as part of HMAC signatures.
After some discussion I concluded that as used in those two methods, SHA-1's collision issues were not relevant. However, I'd like to get a second opinion from the cryptography experts. I can change the default to SHA-256, but if it's not actually making things more secure then that's just increasing time and space for no reason. Thanks, David
_______________________________________________ Cryptography-dev mailing list Cryptography-dev@python.org https://mail.python.org/mailman/listinfo/cryptography-dev
