Django has a very nice implementation for hashing passwords using PBKDF2 and a number of iterations to increase the work-load. Thanks!
I know this is very customizable and I know how to do this. This post is not about "how". What I would like to know is the methodology and "inputs" into deciding the number of iterations. For a quick summary, these iterations change with every recent iteration of Django as follows: - Django 1.10: uses 30000 iterations - Django 1.9: 24000 - Django 1.8: 20000 - Django 1.7: 15000 - ... Clearly these are increased to offset increases in computational power of the typical server, etc. But is there anything more methodical to this than just "hey, let's add some iterations to the default password hasher" for each release? Ideally, someone could make plain the methodology used, the inputs/assumptions and the desired strength achieved (I.e., how many days of brute-forcing does a hashed password withstand on some assumed set of hardware). I suspect that the Django project is not inventing the methodology but rather is using a reference to a study somewhere. Anyone have this handy somewhere? Many thanks! -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at https://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/6442d30d-5b00-43ec-8cdd-0376f170a8b2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
