We already committed a fix for pbkdf2, the DOS vector no longer exists (at least not in this form): https://github.com/django/django/commit/68540fe4df44492571bc610a0a043d3d02b3d320
On Thursday, October 3, 2013 9:56:14 AM UTC+2, Ram Rachum wrote: > > Hi everybody, > > I've submitted the patch, and corrected it, and it's been sitting on the > issue tracker for 2 weeks without anyone commenting. Does anyone care to > discuss this? I want to have this merged in, or discuss any problems in > merging it in. > > > On Sun, Sep 15, 2013 at 11:27 PM, Ram Rachum <[email protected]<javascript:> > > wrote: > >> Submitted patch: >> >> https://code.djangoproject.com/ticket/21105#comment:1 >> >> On Sunday, September 15, 2013 10:09:55 PM UTC+3, Donald Stufft wrote: >> >>> >>> On Sep 15, 2013, at 2:59 PM, Florian Apolloner <[email protected]> >>> wrote: >>> >>> Hi Ram, >>> >>> On Sunday, September 15, 2013 12:34:03 PM UTC+2, Ram Rachum wrote: >>>> >>>> Florian, I'm not sure that you read my message carefully enough. I'm *not >>>> *proposing to reduce the time that PBKDF2 takes to hash. >>>> >>> >>> By replacing the password with a hash before running it through PBKDF2 >>> you are reducing that time for every password longer than the hash… And >>> given the way PBKDF2 works you'll reduce it by quite a bit (note that all >>> of this only applies to passwords longer than the hash, so it's probably >>> pretty academical). Either way, we'd at least need a new hasher class since >>> it would be backwards incompatible. Independent of that we'd have to >>> evaluate if pre-hashing the password could make PBKDF2 less secure >>> (probably not to likely, but who knows). >>> >>> >>> According to Thomas Porin in the context of bcrypt pre-hashing the >>> password is fine (and we already do this in Django 1.6). I see no reason >>> the same wouldn't hold true for PBKDF2. >>> >>> ----------------- >>> Donald Stufft >>> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 >>> DCFA >>> >>> -- >> You received this message because you are subscribed to a topic in the >> Google Groups "Django developers" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/django-developers/iuSE5Y4R3hg/unsubscribe >> . >> To unsubscribe from this group and all its topics, send an email to >> [email protected] <javascript:>. >> To post to this group, send email to >> [email protected]<javascript:> >> . >> Visit this group at http://groups.google.com/group/django-developers. >> For more options, visit https://groups.google.com/groups/opt_out. >> > > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/48f1d111-e8e0-4c16-bec3-1af1cd1aa1f9%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
