Re: BCrypt and PBKDF2 Password Hash Caching

2013-11-19 Thread Erik van Zijst
On Tuesday, 19 November 2013 18:38:33 UTC-8, Wim Lewis wrote: > > > On 19 Nov 2013, at 6:10 PM, Javier Guerra Giraldez wrote: > > but still you get only SHA1-level strength, when the whole idea was to > > switch to stronger crypto. if in your case SHA1 is enough, you can > > simply keep using

Re: Why not use @classmethod decorator consitently in django/utils/functional.py?

2013-11-19 Thread Adam Smith
> > I see. Thanks a lot Shai, for both your welcome and detailed explanation! -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to

Re: Why not use @classmethod decorator consitently in django/utils/functional.py?

2013-11-19 Thread Shai Berger
Hi Adam, (reordering quoted parts a little) On Tuesday 19 November 2013 18:33:01 Adam Smith wrote: > Hi, I'm quite new to Python and Django Welcome aboard! > Like I said, I'm quite new to Python and this community, I'm not sure > whether this is the right place to ask this kind of question. >

Re: BCrypt and PBKDF2 Password Hash Caching

2013-11-19 Thread Wim Lewis
On 19 Nov 2013, at 6:10 PM, Javier Guerra Giraldez wrote: > but still you get only SHA1-level strength, when the whole idea was to > switch to stronger crypto. if in your case SHA1 is enough, you can > simply keep using it. if it's not enough, then you shouldn't be using > it. Well, it seems

Why not use @classmethod decorator consitently in django/utils/functional.py?

2013-11-19 Thread Adam Smith
Hi, I'm quite new to Python and Django, as I read through the django/utils/functional.py, I was wondering why not use `classmethod` as a class method decorator consistently, as line

Re: BCrypt and PBKDF2 Password Hash Caching

2013-11-19 Thread Donald Stufft
Password hashing schemes are slow on purpose to prevent brute force. Siphash wouldn't make sense because if you're switching for speed you can just use any secure hash function. crypt by default is much slower than PBKDF2 FWIW. You should tune the work factor/iterations until it's fast enough

Re: BCrypt and PBKDF2 Password Hash Caching

2013-11-19 Thread Javier Guerra Giraldez
On Tue, Nov 19, 2013 at 8:48 PM, Erik van Zijst wrote: > You make a good point. > > An obvious fix would seem to be to add the username to the cache key. This > way users cannot "use" another user's cache entry. right, that would fix it. (i guess, i'm no security

Re: BCrypt and PBKDF2 Password Hash Caching

2013-11-19 Thread Erik van Zijst
You make a good point. An obvious fix would seem to be to add the username to the cache key. This way users cannot "use" another user's cache entry. Cheers, Erik On Friday, 15 November 2013 11:41:43 UTC-8, Javier Guerra wrote: > > On Fri, Nov 15, 2013 at 2:27 PM, Marc Tamlyn >