pbkdf2_ctypes is at least 20x times faster than flask, django or web2py fallback implementation. I think it takes much more time to transmit than to hash on common connections ;-)
2013/9/15 samuel bonill <[email protected]> > thanks massimo... > > El domingo, 15 de septiembre de 2013 08:32:12 UTC-5, Massimo Di Pierro > escribió: > >> A serious DoS vulnerability was found in reported in Django today: >> >> >> https://www.djangoproject.com/**weblog/2013/sep/15/security/<https://www.djangoproject.com/weblog/2013/sep/15/security/> >> >> We use the same default hashing algorithm for password, PBKDF2, so some >> of you may worry about the same vulnerability affecting web2py. Well NO! We >> are safe, This is because web2py always validates (and always did) the >> length of the password strings and it is capped to 256 bytes. >> >> https://github.com/web2py/**web2py/blob/master/gluon/dal.**py#L6892<https://github.com/web2py/web2py/blob/master/gluon/dal.py#L6892> >> >> This is also the time to point our that web2py (since 2.6.x) uses its own >> implementation of PBKDF2, written by Michele Comitini which is 10x faster >> than the original version used by Flask and Django. >> >> Given this vulnerability (in Django) probably we will modify our library >> so that, if used outside of web2py, there is a max password length enforced >> by the library itself. You may see this patch in the near future. Again >> this does not affect us but may affect others in case they choose to use it. >> >> Massimo >> > -- > Resources: > - http://web2py.com > - http://web2py.com/book (Documentation) > - http://github.com/web2py/web2py (Source code) > - https://code.google.com/p/web2py/issues/list (Report Issues) > --- > You received this message because you are subscribed to the Google Groups > "web2py-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
