classification
Title: Update suggested number of iterations for pbkdf2_hmac()
Type: Stage: patch review
Components: Documentation Versions:
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: docs@python Nosy List: christian.heimes, docs@python, illia-v, rhettinger
Priority: normal Keywords: patch

Created on 2021-01-20 20:06 by illia-v, last changed 2021-02-07 20:32 by illia-v.

Pull Requests
URL Status Linked Edit
PR 24276 open illia-v, 2021-01-20 20:16
Messages (7)
msg385365 - (view) Author: Illia Volochii (illia-v) * Date: 2021-01-20 20:06
Documentation [1] suggests using at least 100,000 iterations of SHA-256 as of 2013.

Currently, it is 2021, and it is common to use much more iterations.
For example, Django will use 260,000 by default in the next 3.2 LTS release and 320,000 in 4.0 [2][3].

I suggest suggesting at least 250,000 iterations that is a somewhat round number close to the one used by modern libraries.

[1] https://docs.python.org/3/library/hashlib.html#hashlib.pbkdf2_hmac
[2] https://github.com/django/django/commit/f2187a227f7a3c80282658e699ae9b04023724e5
[3] https://github.com/django/django/commit/a948d9df394aafded78d72b1daa785a0abfeab48
msg385442 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-01-21 19:14
Is there any scientific research or mathematical proof for 250,000 iteration?
msg385455 - (view) Author: Illia Volochii (illia-v) * Date: 2021-01-21 22:39
I didn't find any. I think it is based on some benchmarks like `openssl speed sha`.
msg385939 - (view) Author: Raymond Hettinger (rhettinger) * (Python committer) Date: 2021-01-29 20:59
FWIW, OnePass uses 100,000.  https://support.1password.com/pbkdf2/

Also, I don't think an additional time factor of 2.5x would make substantial difference in security, but it may make a noticeable difference in user authentication time.
msg385944 - (view) Author: Illia Volochii (illia-v) * Date: 2021-01-29 21:40
> FWIW, OnePass uses 100,000.  https://support.1password.com/pbkdf2/

There is a history section on that page. And current 100,000 is ten times more than 1Password used in 2013 when the suggestion was added to the documentation.

> Also, I don't think an additional time factor of 2.5x would make substantial difference in security, but it may make a noticeable difference in user authentication time.

2.5x difference can be substantial if x is hours, days, or years :)
msg385992 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-01-30 18:30
PBKDF2-HMAC is a serialized algorithm. It cannot be parallized. That means the runtime depends on single core-performance. The single core-performance of desktop and server CPUs hasn't improved much in the last decade. Modern CPUs have more cores, larger caches, and better IPC. Intel Nehalem architecture from 2009 had up to 3.33 GHz. Fast 2020 Comet Lake CPUs have up to 3.7 GHz base frequence and about 5GHz turbo.
msg386605 - (view) Author: Illia Volochii (illia-v) * Date: 2021-02-07 20:32
Clock rate is not the only indicator. Some new instructions supporting SHA were introduced during the last decade.

https://software.intel.com/content/www/us/en/develop/articles/intel-sha-extensions.html
https://software.intel.com/content/www/us/en/develop/articles/improving-openssl-performance.html
https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/sha-256-implementations-paper.pdf
History
Date User Action Args
2021-02-07 20:32:14illia-vsetmessages: + msg386605
2021-01-30 18:30:14christian.heimessetmessages: + msg385992
2021-01-29 21:40:15illia-vsetmessages: + msg385944
2021-01-29 20:59:48rhettingersetnosy: + rhettinger
messages: + msg385939
2021-01-21 22:39:09illia-vsetmessages: + msg385455
2021-01-21 19:14:30christian.heimessetnosy: + christian.heimes
messages: + msg385442
2021-01-20 20:16:38illia-vsetkeywords: + patch
stage: patch review
pull_requests: + pull_request23099
2021-01-20 20:06:39illia-vcreate