AFAIK upstream Python does use an optimized PBKDF2 (and OpenSSL 1.1.0 also has it).
Alex On Sat, Aug 20, 2016 at 4:02 PM, Florian Apolloner <[email protected]> wrote: > Ups, just realized that we use pbldf2 for more than just password hashing > -- if that where not the case the multi-library approach like the bcrypt > hasher uses would be preferred. That said, I would still prefer it if you > got in contact with Christian Heimes from Python to push this into Python > itself (or OpenSSL for that matter, didn't check the code). > > On Saturday, August 20, 2016 at 9:46:27 PM UTC+2, Florian Apolloner wrote: >> >> What was the motivation for writing your own library instead of improving >> the version in python itself? Personally I do not see much gain, if you >> have to install a dependency, you could as well just install bcrypt or >> argon2 and ditch pbkdf2. For those people where it really makes a >> difference, a custom backend as you already have should be just fine. >> >> On Saturday, August 20, 2016 at 1:53:21 PM UTC+2, Terry Chia wrote: >>> >>> Greetings, >>> >>> 11 months ago, I opened a ticket (#25395) on the bug tracker about >>> potentially adding a dependency on python-fastpbkdf2, a library I wrote and >>> maintain that provides a faster implementation of PBKDF2 than the stdlib >>> while maintaining API compatibility. Tim rightly pointed out that he was >>> hesitant to add a dependency on a new library in a security-sensitive area >>> and suggested that I write to this list to gather feedback. Sadly, I got >>> really busy with work and neglected to follow up on it at that point in >>> time. >>> >>> 11 months later, I am hoping to open up the discussion again. In that >>> time period, passlib has opted to add a optional dependency on the library >>> [0], there has been a third party library that integrates python-fastpbkdf2 >>> with Django[1] and having used it in a number of internal projects, it is >>> definitely stable. I have a patch ready to go if the interest is there. >>> >>> So Django developers, what do you think? >>> >>> [0]: https://bitbucket.org/ecollins/passlib/issues/67/add- >>> an-optional-dependency-on-python >>> [1]: https://github.com/smartfile/django-fastpbkdf2 >>> >> -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/group/django-developers. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/django-developers/054efcdd-1c09-455a-ae7a- > e0f8d36f8ba6%40googlegroups.com > <https://groups.google.com/d/msgid/django-developers/054efcdd-1c09-455a-ae7a-e0f8d36f8ba6%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) "The people's good is the highest law." -- Cicero GPG Key fingerprint: D1B3 ADC0 E023 8CA6 -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAFRnB2XKCpQAKaneOY6QxPu0cJDDJpCUXy32-RRiHhunTBUc9g%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
