The PBKDF2 speed improvements are in Python 2.7.8 and 3.4+, so you'd need to use Python 2.7.7 or earlier to get the slower version.
On Tuesday, January 3, 2017 at 7:56:35 PM UTC-5, Martin Koistinen wrote: > > Hmmmm, I just tried this using a simple management command to do some > basic benchmarking of password hashing. I made this little package Py2/Py3 > compatible. You can find it here: > https://github.com/mkoistinen/hash_benchmark > > (Just install it from the repo into an existing project, then add > 'hash_benchmark' to your INSTALLED_APPS and you now have the management > command `hash_benchmark`.) > > I was expecting to see Py3 out-perform Py2 here by roughly 3X based on > this thread. Instead, I see *the opposite*. > > Python: 2.7.10 (default, Jul 13 2015, 12:05:58) [GCC 4.2.1 Compatible > Apple LLVM 6.1.0 (clang-602.0.53)] > > Django: 1.9.7 > > Using cipher: "pbkdf2_sha256" with 100,000 iterations, verification takes, > on average, 0.0955s > > vs. > > Python: 3.5.1 (v3.5.1:37a07cee5969, Dec 5 2015, 21:12:44) [GCC 4.2.1 > (Apple Inc. build 5666) (dot 3)] > > Django: 1.10.3 > > Using cipher: "pbkdf2_sha256" with 100,000 iterations, verification takes, > on average, 0.2751s > > What am I missing here? > > On Tuesday, January 3, 2017 at 12:45:42 PM UTC-5, Martin Koistinen wrote: >> >> I think the best practice is to set the iterations as high as you can >> tolerate without adversely affecting the user experience as they log-in. >> Iteration numbers as high as 200,000 for SHA-256 or even more are not >> unheard of these days. Without looking at an application's password >> expiration policies, there's really no "one size fits all" number here. >> >> But, to be consistent with Django 1.x going forward, let's define 36,000 >> iterations as "acceptable performance" for a Python2 with Django 1.11 >> install on a typical piece of server hardware today (beginning of 2017). A >> useful benchmark would be to determine how many iterations would yield the >> same delay on a Py3 + Django 1.11 install on the same server. >> >> This should probably server as a *baseline* default number of iterations >> and, IMHO, there should probably be reasonable amount of encouragement in >> the documentation to set the number of iterations to a value as high as the >> application can tolerate. Ideally, there could be some in-built >> benchmarking tools to make this easier for the admin. >> > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/8d383765-c41e-403c-9e85-09f31582f58f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
