. The up-side is PBKDF2 is significantly better
than was previously calculated.
Enjoy!
On Monday, January 30, 2017 at 2:09:56 PM UTC-5, Martin Koistinen wrote:
>
> *IMPORTANT NOTICE:* I've just made an important change to the Google Docs
> Sheet here:
> https://docs.google.com/sp
*IMPORTANT NOTICE:* I've just made an important change to the Google Docs
Sheet here:
https://docs.google.com/spreadsheets/d/16_KdYAW03sb86-w_AFFnM79IaTWQ7Ugx4T0VMfGteTM/edit?usp=sharing
Realizing that most security policies make requirements such as "At least 1
character must be a numeral",
Updated the sheet with more recent GPU pricing.
On Thursday, January 19, 2017 at 1:19:57 PM UTC-5, Martin Koistinen wrote:
>
> All, I've converted my worksheet into a Google Docs Sheet here:
> https://docs.google.com/spreadsheets/d/16_KdYAW03sb86-w_AFFnM79IaTWQ7Ugx4T0VMfGteTM/edit?us
to tweak for your
system and security policy.
Comments and suggestions are welcome and if appropriate, I'll make edits
accordingly.
On Wednesday, January 18, 2017 at 12:32:55 PM UTC-5, Martin Koistinen wrote:
>
> Tim, I've sent you a model I've assembled recently for your review. I'll
00,000 on master (targeting Django 2.0). It
> would be nice to determine a guideline for how to determine future
> increases.
>
> On Monday, January 16, 2017 at 12:55:25 PM UTC-5, Martin Koistinen wrote:
>>
>> Tobias,
>>
>> Thanks for the comprehensive benchmark
Tobias,
Thanks for the comprehensive benchmarking and summary of the situation! I
agree on all points, but I'd like to add, that we should err on the side of
high iterations for the simple fact that most developers would sooner
accept the risk of a DoS long before the risk of compromised user
own Python and doing so without OpenSSL. I'm guessing that
> any operating system Python will have the OpenSSL bindings. Or is that a
> bad assumption?
>
> On Wednesday, January 4, 2017 at 2:13:09 PM UTC-5, Martin Koistinen wrote:
>>
>> I think this is a pretty solid guess. Be
at 2:13:09 PM UTC-5, Martin Koistinen wrote:
>
> I think this is a pretty solid guess. Bear in mind this was a direct
> install from Python.org.
>
> The important thing here is, this demonstrates that we cannot just assume
> that all Python 3 installs have a "fast
I think this is a pretty solid guess. Bear in mind this was a direct
install from Python.org.
The important thing here is, this demonstrates that we cannot just assume
that all Python 3 installs have a "fast" PBKDF2 implementation =/
On Wednesday, January 4, 2017 at 11:33:17 AM UTC-5, Tobias
t;pbkdf2_sha256" with 100,000 iterations, verification takes,
on average, 0.2751s
What am I missing here?
On Tuesday, January 3, 2017 at 12:45:42 PM UTC-5, Martin Koistinen wrote:
>
> I think the best practice is to set the iterations as high as you can
> tolerate without adversely
t;pbkdf2_sha256" with 100,000 iterations, verification takes,
on average, 0.2751s
What am I missing here?
On Tuesday, January 3, 2017 at 12:45:42 PM UTC-5, Martin Koistinen wrote:
>
> I think the best practice is to set the iterations as high as you can
> tolerate without adversely
I think the best practice is to set the iterations as high as you can
tolerate without adversely affecting the user experience as they log-in.
Iteration numbers as high as 200,000 for SHA-256 or even more are not
unheard of these days. Without looking at an application's password
expiration
12 matches
Mail list logo
