We run bitbucket.org and are upgrading from SHA1 to BCrypt hashes. We offer 
Basic Auth support which is used a lot. So much so that we can't handle the 
increased load from these more expensive hashes. This has been the cause 
behind a recent self-inflicted DOS.

BCrypt and PBKDF2 are ~4-5 orders of magnitude slower than a SHA1 
(deliberately so of course), bringing them into the hundred ms per hash 
range. For a high volume site that's a rather steep price to pay. We would 
have to lower the number of rounds substantially, which would negate much 
of their strength.

To make bcrypt scale, we wrote a hasher that stores user passwords and 
their hash results in Django's cache (Memcached in our case). To prevent 
plain text passwords leaving the process, we SHA1 the values first. The 
code is here: https://github.com/django/django/pull/1918/files

How do people feel about this approach and should it be merged into Django? 
If not, then I can turn it into a library instead. Maybe at our size we're 
not in Django's sweet spot anymore. However, in their current version the 
recommended hashers are just not usable for us.

Cheers,
Erik

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/5f384586-2183-46b7-a6a2-9ffd14caa3b0%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to