On Sep 15, 2013, at 2:59 PM, Florian Apolloner <[email protected]> wrote:
> Hi Ram, > > On Sunday, September 15, 2013 12:34:03 PM UTC+2, Ram Rachum wrote: > Florian, I'm not sure that you read my message carefully enough. I'm not > proposing to reduce the time that PBKDF2 takes to hash. > > By replacing the password with a hash before running it through PBKDF2 you > are reducing that time for every password longer than the hash… And given the > way PBKDF2 works you'll reduce it by quite a bit (note that all of this only > applies to passwords longer than the hash, so it's probably pretty > academical). Either way, we'd at least need a new hasher class since it would > be backwards incompatible. Independent of that we'd have to evaluate if > pre-hashing the password could make PBKDF2 less secure (probably not to > likely, but who knows). According to Thomas Porin in the context of bcrypt pre-hashing the password is fine (and we already do this in Django 1.6). I see no reason the same wouldn't hold true for PBKDF2. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
