Now that Python 2 is dropped in Django 2.0 and a faster implementation of pbkdf2 is guaranteed to be available (from what I understand), it's time to reevaluate our strategy for increasing the number of iterations each release.
I'm not sure how to evaluate potential performance issues from bumping the number of iterations too aggressively. I'd be happy to do some benchmarks but I'm not sure what will be meaningful. The Python docs say, "As of 2013, at least 100,000 iterations of SHA-256 are suggested." [0] Here are the number of iterations in recent versions of Django: Django 1.8: 20000 Django 1.9: 24000 Django 1.10: 30000 Django 1.11: 36000 [0] https://docs.python.org/3/library/hashlib.html#hashlib.pbkdf2_hmac On Tuesday, September 22, 2015 at 5:15:37 PM UTC-4, Aymeric Augustin wrote: > > On 22 sept. 2015, at 21:21, Tim Graham <timog...@gmail.com <javascript:>> > wrote: > > > At this point, I'm inclined to continue with the 20-25% iterations > increase per release methodology we've been using unless someone wants to > advocate for one of the other proposals. > > > I agree. > > -- > Aymeric. > > > > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/fd777015-3d60-4a60-9e41-a7fd1d421200%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.