Hello, I’m currently building a web application that includes user authentication (signup/login) with email verification.
I’m using bcrypt for password hashing and considering additional safeguards around verification codes and input validation. I came across a discussion regarding PBKDF2 edge cases (such as invalid iteration values causing unexpected behavior), and it made me reconsider how much validation should be handled at the application level versus relying on library safeguards. My questions are: 1. What are the recommended best practices for password hashing in modern web applications? 2. Should developers always enforce strict validation on cryptographic parameters (e.g., iteration counts), even when using well-maintained libraries? 3. Are there preferred approaches for securely handling verification codes (email/SMS) in terms of storage and expiration? I would appreciate any guidance or references. Thank you. _______________________________________________ Cryptography-dev mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3//lists/cryptography-dev.python.org Member address: [email protected]
