Hi everybody, I've submitted the patch, and corrected it, and it's been sitting on the issue tracker for 2 weeks without anyone commenting. Does anyone care to discuss this? I want to have this merged in, or discuss any problems in merging it in.
On Sun, Sep 15, 2013 at 11:27 PM, Ram Rachum <[email protected]> wrote: > Submitted patch: > > https://code.djangoproject.com/ticket/21105#comment:1 > > On Sunday, September 15, 2013 10:09:55 PM UTC+3, Donald Stufft wrote: > >> >> On Sep 15, 2013, at 2:59 PM, Florian Apolloner <[email protected]> >> wrote: >> >> Hi Ram, >> >> On Sunday, September 15, 2013 12:34:03 PM UTC+2, Ram Rachum wrote: >>> >>> Florian, I'm not sure that you read my message carefully enough. I'm *not >>> *proposing to reduce the time that PBKDF2 takes to hash. >>> >> >> By replacing the password with a hash before running it through PBKDF2 >> you are reducing that time for every password longer than the hash… And >> given the way PBKDF2 works you'll reduce it by quite a bit (note that all >> of this only applies to passwords longer than the hash, so it's probably >> pretty academical). Either way, we'd at least need a new hasher class since >> it would be backwards incompatible. Independent of that we'd have to >> evaluate if pre-hashing the password could make PBKDF2 less secure >> (probably not to likely, but who knows). >> >> >> According to Thomas Porin in the context of bcrypt pre-hashing the >> password is fine (and we already do this in Django 1.6). I see no reason >> the same wouldn't hold true for PBKDF2. >> >> ----------------- >> Donald Stufft >> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 >> DCFA >> >> -- > You received this message because you are subscribed to a topic in the > Google Groups "Django developers" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/django-developers/iuSE5Y4R3hg/unsubscribe > . > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/django-developers. > For more options, visit https://groups.google.com/groups/opt_out. > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CANXboVazQU4bF_vBtD4y0vxq54mkcjrR-ZaFknmpuyJrFRHMEw%40mail.gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
