Thanks Alex, TIL https://mail.python.org/pipermail/distutils-sig/2016-May/028986.html
On 4 January 2017 at 17:42, Alex Gaynor <alex.gay...@gmail.com> wrote: > Python 2.7.12 will look the same as 3.5.x, they both have the optimized > implementation. Only 2.7.X where X<8 will have the slow implementation. > > If someone was motivated, they could look at the PyPI bigquery and see > what versions of 2.7 people are using to install django. > > Alex > > On Wed, Jan 4, 2017 at 12:39 PM, Joey Wilhelm <tarkatro...@gmail.com> > wrote: > >> FWIW, here are my own results from that benchmark (I ran each 5 times >> just to account for any other system activity): >> >> Python: 2.7.12, Django: 1.10.4 >> Using cipher: "pbkdf2_sha256" with 100,000 iterations, verification >> takes, on average, 0.0884s >> Using cipher: "pbkdf2_sha256" with 100,000 iterations, verification >> takes, on average, 0.0854s >> Using cipher: "pbkdf2_sha256" with 100,000 iterations, verification >> takes, on average, 0.1034s >> Using cipher: "pbkdf2_sha256" with 100,000 iterations, verification >> takes, on average, 0.1119s >> Using cipher: "pbkdf2_sha256" with 100,000 iterations, verification >> takes, on average, 0.0949s >> >> Python: 3.5.2, Django: 1.10.4 >> Using cipher: "pbkdf2_sha256" with 100,000 iterations, verification >> takes, on average, 0.0876s >> Using cipher: "pbkdf2_sha256" with 100,000 iterations, verification >> takes, on average, 0.0857s >> Using cipher: "pbkdf2_sha256" with 100,000 iterations, verification >> takes, on average, 0.0872s >> Using cipher: "pbkdf2_sha256" with 100,000 iterations, verification >> takes, on average, 0.0847s >> Using cipher: "pbkdf2_sha256" with 100,000 iterations, verification >> takes, on average, 0.0874s >> >> Python: 3.6.0, Django: 1.10.4 >> Using cipher: "pbkdf2_sha256" with 100,000 iterations, verification >> takes, on average, 0.0861s >> Using cipher: "pbkdf2_sha256" with 100,000 iterations, verification >> takes, on average, 0.0789s >> Using cipher: "pbkdf2_sha256" with 100,000 iterations, verification >> takes, on average, 0.0803s >> Using cipher: "pbkdf2_sha256" with 100,000 iterations, verification >> takes, on average, 0.0779s >> Using cipher: "pbkdf2_sha256" with 100,000 iterations, verification >> takes, on average, 0.0815s >> >> This appears to agree with Tobias' results; this is also on a Mac. I can >> toss in an older Python 2.7 as well if necessary or desired to see the >> slower implementation. But I think this shows that there's a near enough >> negligible speed difference in recent Python versions. Aside from perhaps a >> very slight speedup in 3.6. >> >> -Joey Wilhelm >> >> On Wed, Jan 4, 2017 at 9:32 AM, Tobias McNulty <tob...@caktusgroup.com> >> wrote: >> >>> Here's an interesting tidbit from Alex Gaynor in 2014: >>> >>> https://github.com/django/django/commit/6732566967888f2c12ef >>> ee1146940c85c0154e60#diff-dd9c116fcefaf3916ace2608656311e0 >>> >>> It's worth noting that, if I'm understanding this correctly, there are >>> two slow versions of pbkdf2 we have to worry about -- the one bundled in >>> Django (https://github.com/django/django/blob/6732566967888f2c12efe >>> e1146940c85c0154e60/django/utils/crypto.py#L142, which is used >>> pre-2.7.8 and pre-3.4 and claims to be 5x slower) and the Python fallback >>> for pbkdf2_hmac (which I suppose is used if OpenSSL is unavailable (?) and >>> claims to be 3x slower). >>> >>> Martin, is it possible your version of Python 3 is not linked against >>> OpenSSL and hence is missing the fast version of pbkdf2_hmac? I haven't had >>> a chance to try your benchmark yet, but in a quick test I don't see any >>> difference between Python 3.5.2 and Python 2.7.12 on a Mac. >>> >>> Tobias >>> >>> On Wed, Jan 4, 2017 at 3:22 AM, Aymeric Augustin < >>> aymeric.augus...@polytechnique.org> wrote: >>> >>>> Still, this benchmark shows Python 3.5 being 3 times slower than Python >>>> 2.7. >>>> >>>> This is a surprisingly large regression for this time-sensitive >>>> function. >>>> >>>> -- >>>> Aymeric. >>>> >>>> On 4 Jan 2017, at 02:06, Tim Graham <timogra...@gmail.com> wrote: >>>> >>>> The PBKDF2 speed improvements are in Python 2.7.8 and 3.4+, so you'd >>>> need to use Python 2.7.7 or earlier to get the slower version. >>>> >>>> On Tuesday, January 3, 2017 at 7:56:35 PM UTC-5, Martin Koistinen wrote: >>>>> >>>>> Hmmmm, I just tried this using a simple management command to do some >>>>> basic benchmarking of password hashing. I made this little package Py2/Py3 >>>>> compatible. You can find it here: https://github.com/mkois >>>>> tinen/hash_benchmark >>>>> >>>>> (Just install it from the repo into an existing project, then add >>>>> 'hash_benchmark' to your INSTALLED_APPS and you now have the management >>>>> command `hash_benchmark`.) >>>>> >>>>> I was expecting to see Py3 out-perform Py2 here by roughly 3X based on >>>>> this thread. Instead, I see *the opposite*. >>>>> >>>>> Python: 2.7.10 (default, Jul 13 2015, 12:05:58) [GCC 4.2.1 Compatible >>>>> Apple LLVM 6.1.0 (clang-602.0.53)] >>>>> >>>>> Django: 1.9.7 >>>>> >>>>> Using cipher: "pbkdf2_sha256" with 100,000 iterations, verification >>>>> takes, on average, 0.0955s >>>>> >>>>> vs. >>>>> >>>>> Python: 3.5.1 (v3.5.1:37a07cee5969, Dec 5 2015, 21:12:44) [GCC 4.2.1 >>>>> (Apple Inc. build 5666) (dot 3)] >>>>> >>>>> Django: 1.10.3 >>>>> >>>>> Using cipher: "pbkdf2_sha256" with 100,000 iterations, verification >>>>> takes, on average, 0.2751s >>>>> >>>>> What am I missing here? >>>>> >>>>> On Tuesday, January 3, 2017 at 12:45:42 PM UTC-5, Martin Koistinen >>>>> wrote: >>>>>> >>>>>> I think the best practice is to set the iterations as high as you can >>>>>> tolerate without adversely affecting the user experience as they log-in. >>>>>> Iteration numbers as high as 200,000 for SHA-256 or even more are not >>>>>> unheard of these days. Without looking at an application's password >>>>>> expiration policies, there's really no "one size fits all" number here. >>>>>> >>>>>> But, to be consistent with Django 1.x going forward, let's define >>>>>> 36,000 iterations as "acceptable performance" for a Python2 with Django >>>>>> 1.11 install on a typical piece of server hardware today (beginning of >>>>>> 2017). A useful benchmark would be to determine how many iterations would >>>>>> yield the same delay on a Py3 + Django 1.11 install on the same server. >>>>>> >>>>>> This should probably server as a *baseline* default number of >>>>>> iterations and, IMHO, there should probably be reasonable amount of >>>>>> encouragement in the documentation to set the number of iterations to a >>>>>> value as high as the application can tolerate. Ideally, there could be >>>>>> some >>>>>> in-built benchmarking tools to make this easier for the admin. >>>>>> >>>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Django developers (Contributions to Django itself)" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to django-developers+unsubscr...@googlegroups.com. >>>> To post to this group, send email to django-developers@googlegroups.com >>>> . >>>> Visit this group at https://groups.google.com/group/django-developers. >>>> To view this discussion on the web visit https://groups.google.com/d/ms >>>> gid/django-developers/8d383765-c41e-403c-9e85-09f31582f58f%4 >>>> 0googlegroups.com >>>> <https://groups.google.com/d/msgid/django-developers/8d383765-c41e-403c-9e85-09f31582f58f%40googlegroups.com?utm_medium=email&utm_source=footer> >>>> . >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Django developers (Contributions to Django itself)" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to django-developers+unsubscr...@googlegroups.com. >>>> To post to this group, send email to django-developers@googlegroups.com >>>> . >>>> Visit this group at https://groups.google.com/group/django-developers. >>>> To view this discussion on the web visit https://groups.google.com/d/ms >>>> gid/django-developers/15FEAB83-A9A4-4BC6-ABCB-D7BC04603E89%4 >>>> 0polytechnique.org >>>> <https://groups.google.com/d/msgid/django-developers/15FEAB83-A9A4-4BC6-ABCB-D7BC04603E89%40polytechnique.org?utm_medium=email&utm_source=footer> >>>> . >>>> >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> >>> >>> -- >>> >>> >>> *Tobias McNulty*Chief Executive Officer >>> >>> tob...@caktusgroup.com >>> www.caktusgroup.com >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Django developers (Contributions to Django itself)" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to django-developers+unsubscr...@googlegroups.com. >>> To post to this group, send email to django-developers@googlegroups.com. >>> Visit this group at https://groups.google.com/group/django-developers. >>> To view this discussion on the web visit https://groups.google.com/d/ms >>> gid/django-developers/CAMGFDKQYT_NsjBmOBPieKJnpK8z5TzQd4yvD5 >>> dYmubmfSNK6tw%40mail.gmail.com >>> <https://groups.google.com/d/msgid/django-developers/CAMGFDKQYT_NsjBmOBPieKJnpK8z5TzQd4yvD5dYmubmfSNK6tw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Django developers (Contributions to Django itself)" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to django-developers+unsubscr...@googlegroups.com. >> To post to this group, send email to django-developers@googlegroups.com. >> Visit this group at https://groups.google.com/group/django-developers. >> To view this discussion on the web visit https://groups.google.com/d/ms >> gid/django-developers/CADBkHdKiZEwzKMfOMOrQHTkSb3z9azDXgrwnQ >> ETANXDpvO4aYQ%40mail.gmail.com >> <https://groups.google.com/d/msgid/django-developers/CADBkHdKiZEwzKMfOMOrQHTkSb3z9azDXgrwnQETANXDpvO4aYQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > "I disapprove of what you say, but I will defend to the death your right > to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) > "The people's good is the highest law." -- Cicero > GPG Key fingerprint: D1B3 ADC0 E023 8CA6 > > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-developers+unsubscr...@googlegroups.com. > To post to this group, send email to django-developers@googlegroups.com. > Visit this group at https://groups.google.com/group/django-developers. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/django-developers/CAFRnB2XVNB00fnnTxx%2Bhy4Bog4HKHz65CvH% > 2B9Hf6Chg3Gu1BFg%40mail.gmail.com > <https://groups.google.com/d/msgid/django-developers/CAFRnB2XVNB00fnnTxx%2Bhy4Bog4HKHz65CvH%2B9Hf6Chg3Gu1BFg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- Adam -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMyDDM04YJj-hbGU%3DL6eK2FZ6dW8SJqjytYdWdKN-CQtTmMzDA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
