@Florian: Getting this into core Python and/or OpenSSL is a possible option but that will not benefit users of older Pythons (and of course PyPy) of which there are many.
@Alex: The implementation I am binding it *much* faster than the one OpenSSL ships, even in 1.1.0 due to the strategies described in https://jbp.io/2015/08/11/pbkdf2-performance-matters/#strategies. On Sunday, August 21, 2016 at 5:08:14 AM UTC+8, Aymeric Augustin wrote: > > Well fastpbkdf2 claims a 3x improvement over what Python ships. See the > timeit results in the README. > > -- > Aymeric. > > On 20 Aug 2016, at 22:03, Alex Gaynor <[email protected] <javascript:>> > wrote: > > AFAIK upstream Python does use an optimized PBKDF2 (and OpenSSL 1.1.0 also > has it). > > Alex > > On Sat, Aug 20, 2016 at 4:02 PM, Florian Apolloner <[email protected] > <javascript:>> wrote: > >> Ups, just realized that we use pbldf2 for more than just password hashing >> -- if that where not the case the multi-library approach like the bcrypt >> hasher uses would be preferred. That said, I would still prefer it if you >> got in contact with Christian Heimes from Python to push this into Python >> itself (or OpenSSL for that matter, didn't check the code). >> >> On Saturday, August 20, 2016 at 9:46:27 PM UTC+2, Florian Apolloner wrote: >>> >>> What was the motivation for writing your own library instead of >>> improving the version in python itself? Personally I do not see much gain, >>> if you have to install a dependency, you could as well just install bcrypt >>> or argon2 and ditch pbkdf2. For those people where it really makes a >>> difference, a custom backend as you already have should be just fine. >>> >>> On Saturday, August 20, 2016 at 1:53:21 PM UTC+2, Terry Chia wrote: >>>> >>>> Greetings, >>>> >>>> 11 months ago, I opened a ticket (#25395) on the bug tracker about >>>> potentially adding a dependency on python-fastpbkdf2, a library I wrote >>>> and >>>> maintain that provides a faster implementation of PBKDF2 than the stdlib >>>> while maintaining API compatibility. Tim rightly pointed out that he was >>>> hesitant to add a dependency on a new library in a security-sensitive area >>>> and suggested that I write to this list to gather feedback. Sadly, I got >>>> really busy with work and neglected to follow up on it at that point in >>>> time. >>>> >>>> 11 months later, I am hoping to open up the discussion again. In that >>>> time period, passlib has opted to add a optional dependency on the library >>>> [0], there has been a third party library that integrates >>>> python-fastpbkdf2 >>>> with Django[1] and having used it in a number of internal projects, it is >>>> definitely stable. I have a patch ready to go if the interest is there. >>>> >>>> So Django developers, what do you think? >>>> >>>> [0]: >>>> https://bitbucket.org/ecollins/passlib/issues/67/add-an-optional-dependency-on-python >>>> [1]: https://github.com/smartfile/django-fastpbkdf2 >>>> >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "Django developers (Contributions to Django itself)" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To post to this group, send email to [email protected] >> <javascript:>. >> Visit this group at https://groups.google.com/group/django-developers. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/django-developers/054efcdd-1c09-455a-ae7a-e0f8d36f8ba6%40googlegroups.com >> >> <https://groups.google.com/d/msgid/django-developers/054efcdd-1c09-455a-ae7a-e0f8d36f8ba6%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > "I disapprove of what you say, but I will defend to the death your right > to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) > "The people's good is the highest law." -- Cicero > GPG Key fingerprint: D1B3 ADC0 E023 8CA6 > > > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > To post to this group, send email to [email protected] > <javascript:>. > Visit this group at https://groups.google.com/group/django-developers. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/CAFRnB2XKCpQAKaneOY6QxPu0cJDDJpCUXy32-RRiHhunTBUc9g%40mail.gmail.com > > <https://groups.google.com/d/msgid/django-developers/CAFRnB2XKCpQAKaneOY6QxPu0cJDDJpCUXy32-RRiHhunTBUc9g%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > > > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/c2ff8353-8a41-4824-a8ee-e0ff36fe1642%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
