Re: Switching the default password hasher to Argon2 (was: Methodology for increasing the number of PBKDF2 iterations)

One issue is that as far as I know, only PBKDF2 is officially approved by the NIST for password hashing. Many security standards explicitly or implicitly (e.g. "strong cryptography") defer to the NIST, and even if

Re: Switching the default password hasher to Argon2 (was: Methodology for increasing the number of PBKDF2 iterations)

Hah, sure, exactly like that! Is it documented? Yes, yes it is. https://docs.djangoproject.com/en/1.10/topics/auth/passwords/#using-argon2-with-django On Monday, 16 January 2017 20:12:23 UTC+11, Florian Apolloner wrote: > > > > On Monday, January 16, 2017 at 3:56:44 AM UTC+1, Josh Smeaton

Re: Switching the default password hasher to Argon2 (was: Methodology for increasing the number of PBKDF2 iterations)

On Monday, January 16, 2017 at 3:56:44 AM UTC+1, Josh Smeaton wrote: > > I think adding argon2_cffi to extra_requires could be a good idea, so that > users can pip install Django[argon2_cffi]. > You mean like https://github.com/django/django/blob/master/setup.py#L53 *scnr* -- You received

Re: Switching the default password hasher to Argon2 (was: Methodology for increasing the number of PBKDF2 iterations)

> That said, it is pretty incredible that beginners can (still) install Django just about anywhere they have Python without compiling anything at all. I think this comment perfectly summarises my initial resistance to forcing this change. I think adding argon2_cffi to extra_requires could be

Switching the default password hasher to Argon2 (was: Methodology for increasing the number of PBKDF2 iterations)

On Thu, Jan 5, 2017 at 10:58 AM, Martin Koistinen wrote: > Slightly off-topic, this presents a really nice case for switching to > Argon2 via argon2_cffi (supported in Django 1.10+). Its super fast (C-lib) > and resistant to GPU/ASIC brute-forcing. So, where as an