On Sunday, September 15, 2013 11:45:29 AM UTC+2, Ram Rachum wrote:
> What if instead of calculating the PBKDF2 hash of the password, we'll > calculate the PBKDF2 hash of its SHA1 hash? Then the time of checking > passwords wouldn't depend on their length, and we wouldn't even have to > place a limit of 4096 characters on passwords-- An attacker could try a > 1MB-long password but it would slow us down the same amount as trying > "123456" would. > PBKDF2 takes long by design… A better long term solution would be to rate limit password attempts… -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. For more options, visit https://groups.google.com/groups/opt_out.
