Florian, I'm not sure that you read my message carefully enough. I'm *not *proposing to reduce the time that PBKDF2 takes to hash. I'm proposing to keep that time just as long, but make it independent on the password length.
On Sunday, September 15, 2013 1:12:31 PM UTC+3, Florian Apolloner wrote: > > > > On Sunday, September 15, 2013 11:45:29 AM UTC+2, Ram Rachum wrote: > >> What if instead of calculating the PBKDF2 hash of the password, we'll >> calculate the PBKDF2 hash of its SHA1 hash? Then the time of checking >> passwords wouldn't depend on their length, and we wouldn't even have to >> place a limit of 4096 characters on passwords-- An attacker could try a >> 1MB-long password but it would slow us down the same amount as trying >> "123456" would. >> > > PBKDF2 takes long by design… A better long term solution would be to rate > limit password attempts… > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. For more options, visit https://groups.google.com/groups/opt_out.
