Re: Idea about authentication

2013-09-15 Thread Florian Apolloner
Hi, there are a few things which worry me about this patch (aside from the note from charettes). You write "and the DoS attack vector is avoided" which is not true, hashing functions are by design CPU-intensive so you are not avoiding DoS, even if hashing now consistently takes less (for short

Re: Benchmarking 1.5 vs 1.6

2013-09-15 Thread charettes
I guess it's related to a2396a4c8f[1] and #19184[2]. [1] https://github.com/django/django/commit/a2396a4c8f2ccd7f91adee6d8c2e9c31f13f0e3f [2] https://code.djangoproject.com/ticket/19184 Le dimanche 15 septembre 2013 20:05:43 UTC-4, Curtis Maloney a écrit : > > So what's going on here: > >

Re: Benchmarking 1.5 vs 1.6

2013-09-15 Thread Curtis Maloney
So what's going on here: Running 'query_none' benchmark ... Min: 0.44 -> 0.000262: 5.9674x slower Avg: 0.47 -> 0.000290: 6.1906x slower Significant (t=-12.805744) Stddev: 0.1 -> 0.00013: 14.5148x larger (N = 50) -- Curtis On 15 September 2013 16:31, Anssi Kääriäinen

Re: [GSoC] Revamping validation framework and merging django-secure once again

2013-09-15 Thread Nick Phillips
On Sun, 2013-09-15 at 18:23 +0200, Aymeric Augustin wrote: > On 15 sept. 2013, at 17:57, Simon Kern wrote: > > > Yes but management commands should be irrelevant for django-secure > > Well, in this case, I have a backup argument :) > > There's a non-negligible number of

Re: Idea about authentication

2013-09-15 Thread Ram Rachum
Submitted patch: https://code.djangoproject.com/ticket/21105#comment:1 On Sunday, September 15, 2013 10:09:55 PM UTC+3, Donald Stufft wrote: > > > On Sep 15, 2013, at 2:59 PM, Florian Apolloner > > wrote: > > Hi Ram, > > On Sunday, September 15, 2013 12:34:03 PM UTC+2, Ram

Re: Idea about authentication

2013-09-15 Thread Donald Stufft
On Sep 15, 2013, at 2:59 PM, Florian Apolloner wrote: > Hi Ram, > > On Sunday, September 15, 2013 12:34:03 PM UTC+2, Ram Rachum wrote: > Florian, I'm not sure that you read my message carefully enough. I'm not > proposing to reduce the time that PBKDF2 takes to hash. >

Re: Idea about authentication

2013-09-15 Thread Florian Apolloner
Hi Ram, On Sunday, September 15, 2013 12:34:03 PM UTC+2, Ram Rachum wrote: > > Florian, I'm not sure that you read my message carefully enough. I'm *not > *proposing to reduce the time that PBKDF2 takes to hash. > By replacing the password with a hash before running it through PBKDF2 you are

Re: [GSoC] Revamping validation framework and merging django-secure once again

2013-09-15 Thread Aymeric Augustin
On 15 sept. 2013, at 20:07, Michael Manfre wrote: > No amount of code or docs will fix all of the stupid things people do. > Of course, but that isn't a sufficient reason for disabling the security checks. The point of django-secure is to help users with limited knowledge of

Re: [GSoC] Revamping validation framework and merging django-secure once again

2013-09-15 Thread Michael Manfre
On Sep 15, 2013 12:23 PM, "Aymeric Augustin" < aymeric.augus...@polytechnique.org> wrote: > > On 15 sept. 2013, at 17:57, Simon Kern wrote: > > > Yes but management commands should be irrelevant for django-secure > > Well, in this case, I have a backup argument :) > >

Re: [GSoC] Revamping validation framework and merging django-secure once again

2013-09-15 Thread Aymeric Augustin
On 15 sept. 2013, at 17:57, Simon Kern wrote: > Yes but management commands should be irrelevant for django-secure Well, in this case, I have a backup argument :) There's a non-negligible number of people serving websites in production with ./manage.py runserver, in

Re: [GSoC] Revamping validation framework and merging django-secure once again

2013-09-15 Thread Simon Kern
Yes but management commands should be irrelevant for django-secure Am 15.09.13 17:52, schrieb Aymeric Augustin: > On 15 sept. 2013, at 16:40, Simon K. wrote: > >> But in production the entry point is the wsgi.py file, isn't it? > It's the main entry point in production, but

Re: [GSoC] Revamping validation framework and merging django-secure once again

2013-09-15 Thread Aymeric Augustin
On 15 sept. 2013, at 16:40, Simon K. wrote: > But in production the entry point is the wsgi.py file, isn't it? It's the main entry point in production, but not the only one; manage.py / django-admin.py is still used to run management commands. -- Aymeric. -- You

Re: [GSoC] Revamping validation framework and merging django-secure once again

2013-09-15 Thread Simon K.
Am Mittwoch, 17. Juli 2013 10:20:47 UTC+2 schrieb Russell Keith-Magee: > > > On Mon, Jul 15, 2013 at 8:17 PM, Christopher Medrela > > wrote: > >> Progress: I've implemented manager checks. >> >> This API allows us to register, among other things, app-specific checks. >>

Re: Idea about authentication

2013-09-15 Thread Donald Stufft
We'd want to use SHA256 but that's an OK thing to do AFAIK. I wouldn't agree to it in a security patch because it breaks backwards compatibility in a much larger way than the patch we did does. In fact we already do this with the bcrypt hasher in Django 1.6+ to solve a password truncation

Re: Idea about authentication

2013-09-15 Thread Ram Rachum
Florian, I'm not sure that you read my message carefully enough. I'm *not *proposing to reduce the time that PBKDF2 takes to hash. I'm proposing to keep that time just as long, but make it independent on the password length. On Sunday, September 15, 2013 1:12:31 PM UTC+3, Florian Apolloner

Re: Idea about authentication

2013-09-15 Thread Florian Apolloner
On Sunday, September 15, 2013 11:45:29 AM UTC+2, Ram Rachum wrote: > What if instead of calculating the PBKDF2 hash of the password, we'll > calculate the PBKDF2 hash of its SHA1 hash? Then the time of checking > passwords wouldn't depend on their length, and we wouldn't even have to > place

Re: Idea about authentication

2013-09-15 Thread Ram Rachum
Thanks Curtis! I thought about my idea and realized it makes a brute-force attack easier, and we'd have to make the hashing stronger to compensate... Making the computation time longer for the real users logging in... So yeah, it won't help. But then I had another idea. So PBKDF2 takes a

Re: Idea about authentication

2013-09-15 Thread Curtis Maloney
Actually, you'd just speed up their attack, since most failed attempts would be quicker than others. If you look in the crypto utils, you'll see a "constant time compare" ... this is a common thing in crypto circles to avoid leaking "how close" the guess was by how quickly the mismatch was found.

Idea about authentication

2013-09-15 Thread Ram Rachum
Hi guys, I just saw the new release announcement and I had an idea. What if, in addition to sorting the hard to compute hash for every password, we will also store the sha 1 hash of the first 5 characters ofthe password's sha1 hash? Wouldn't this allow us to quickly rule out 99% of passwords,

[ANNOUNCE] Security releases issued -- vulnerability in the wild

2013-09-15 Thread James Bennett
Earlier today a message posted to the django-developers mailing list publicly disclosed what was later determined to be an exploitable security issue in Django. As such, we have short-circuited our normal one-week process and moved to immediately issuing new releases to remedy the problem. Full

Re: Benchmarking 1.5 vs 1.6

2013-09-15 Thread Anssi Kääriäinen
On Sunday, September 15, 2013 3:13:09 AM UTC+3, Curtis Maloney wrote: > > Hey, thanks for that! > > It would be nice to have something that would chart this over time... > something like some people have set up for GCC. > > I've never been able to get djangobench to give meaningful results, >