April King added the comment:
The code snippet still uses 10. Given that many people will simply
copy-and-paste without questioning, should we update that too?
--
___
Python tracker
<https://bugs.python.org/issue42
April King added the comment:
Django probably stores and computes more passwords than every other Python
framework combined, and it doesn't provide you any control over the number of
iterations. And it hasn't for years. If this were truly a problem, wouldn't
their users be complaining about
April King added the comment:
Django uses 390,000 iterations as of late 2021, as does the Python Cryptography
project. We should be aligned with their recommendations, or at least a good
deal closer than we are now.
390,000 actually makes it a conservative recommendation for key derivation
April King added the comment:
Err, sorry, I may have been a bit unclear. AIA chasing is not *universal*
amongst browsers. IE, Edge, Chrome, and Safari perform AIA chasing. Firefox
maintains a cache of intermediate certificate authorities. I noted that a bit
further underneath, but my
April King added the comment:
Browsers universally support AIA chasing/fetching, as do a number of underlying
OS libraries, such as Secure Transport (macOS) and schannel (Windows).
As a result, it is becoming increasingly common for server operators to fail to
include the entire certificate
