I would suggest that's the kind of thing which is unlikely to get merged, mainly for security reasons as someone could potentially configure it more wrong than other things. It's also only useful or relevant for nonstandard large deployments such as yourselves.
That said, sounds an interesting solution and would make a good library. However I'm not knowledgeable enough to say if it is a good idea from a security perspective. Marc On 15 Nov 2013 18:45, "Erik van Zijst" <erik.van.zi...@gmail.com> wrote: > We run bitbucket.org and are upgrading from SHA1 to BCrypt hashes. We > offer Basic Auth support which is used a lot. So much so that we can't > handle the increased load from these more expensive hashes. This has been > the cause behind a recent self-inflicted DOS. > > BCrypt and PBKDF2 are ~4-5 orders of magnitude slower than a SHA1 > (deliberately so of course), bringing them into the hundred ms per hash > range. For a high volume site that's a rather steep price to pay. We > would have to lower the number of rounds substantially, which would negate > much of their strength. > > To make bcrypt scale, we wrote a hasher that stores user passwords and > their hash results in Django's cache (Memcached in our case). To prevent > plain text passwords leaving the process, we SHA1 the values first. The > code is here: https://github.com/django/django/pull/1918/files > > How do people feel about this approach and should it be merged into > Django? If not, then I can turn it into a library instead. Maybe at our > size we're not in Django's sweet spot anymore. However, in their current > version the recommended hashers are just not usable for us. > > Cheers, > Erik > > -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-developers+unsubscr...@googlegroups.com. > To post to this group, send email to django-developers@googlegroups.com. > Visit this group at http://groups.google.com/group/django-developers. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/5f384586-2183-46b7-a6a2-9ffd14caa3b0%40googlegroups.com > . > For more options, visit https://groups.google.com/groups/opt_out. > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMwjO1EFy4Bq5%2BKyn8XoNNsmrJeymrc1eTRajp38_muHnJXqeA%40mail.gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
