I agree. The question in my mind is how to pick an appropriate number of iterations that we don't risk causing a DoS on (at least most) existing sites due to increased CPU usage. Or at least, can we offer some suggestions about how to tell if your site receives sufficient traffic that you might be impacted? Did anyone notice increased CPU usage in past upgrades?
On Tuesday, January 10, 2017 at 1:27:19 PM UTC-5, Tobias McNulty wrote: > > IMO this doesn't change the argument that it would be best to default to > the higher number of iterations (i.e., 100k or higher, given some time as > passed since 2013), while noting in the documentation that individual > projects have the ability to reduce it if need be (though perhaps > recommending that they try first to find a faster Python). Other thoughts? > > On Mon, Jan 9, 2017 at 10:44 PM, Martin Koistinen <[email protected] > <javascript:>> wrote: > >> The Python3.5 on my system was installed by the official Python >> installer, and is almost 3X slower than the Apple-built 2.7 install. I use >> pip all day long. >> >> True, my MacBook is not a server, but it still serves to demonstrate the >> point that it is not a reasonable assumption that all 3.5 installs use >> OpenSSL libraries. >> >> On Monday, January 9, 2017 at 7:39:18 PM UTC-5, Tim Graham wrote: >>> >>> About "we cannot just assume that all Python 3 installs have a "fast" >>> PBKDF2 implementation" -- I'd expect very few if any Django users to be >>> compiling their own Python and doing so without OpenSSL. I'm guessing that >>> any operating system Python will have the OpenSSL bindings. Or is that a >>> bad assumption? >>> >>> On Wednesday, January 4, 2017 at 2:13:09 PM UTC-5, Martin Koistinen >>> wrote: >>>> >>>> I think this is a pretty solid guess. Bear in mind this was a direct >>>> install from Python.org. >>>> >>>> The important thing here is, this demonstrates that we cannot just >>>> assume that all Python 3 installs have a "fast" PBKDF2 implementation =/ >>>> >>>> On Wednesday, January 4, 2017 at 11:33:17 AM UTC-5, Tobias McNulty >>>> wrote: >>>> >>>>> ... >>>>> >>>> Martin, is it possible your version of Python 3 is not linked against >>>>> OpenSSL and hence is missing the fast version of pbkdf2_hmac? I haven't >>>>> had >>>>> a chance to try your benchmark yet, but in a quick test I don't see any >>>>> difference between Python 3.5.2 and Python 2.7.12 on a Mac. >>>>> >>>>> Tobias >>>>> >>>> >>>> >>>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "Django developers (Contributions to Django itself)" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To post to this group, send email to [email protected] >> <javascript:>. >> Visit this group at https://groups.google.com/group/django-developers. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/django-developers/9261dcdc-f3b2-458c-a6e1-bde49642c56b%40googlegroups.com >> >> <https://groups.google.com/d/msgid/django-developers/9261dcdc-f3b2-458c-a6e1-bde49642c56b%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > > > *Tobias McNulty*Chief Executive Officer > > [email protected] <javascript:> > www.caktusgroup.com > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/34fc63bf-9eff-4ecb-a931-3f25d69faddf%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
