Message 274838 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	benjamin.peterson
Recipients	alex, benjamin.peterson, christian.heimes, gregory.p.smith, python-dev, xiang.zhang
Date	2016-09-07.17:01:57
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1473267714.850188.718635721.06CE91FF@webmail.messagingengine.com>
In-reply-to	<CAFRnB2UoFybALX=M47NeA_-sPsH0iCZQadYasvYo_UZ+p2xzqQ@mail.gmail.com>

Content
PEP 466 is explicitly not blanket approval for backporting All The Things to 2.7. The only justification for pbkdf2 in PEP 466 is to "lower the barriers to secure password storage and checking in Python 2 server applications". While scrypt is probably a bit better, applications using pkbdf2 are still in a much better situation than ones using, e.g., a naïve salted hash. There is a self-contained, easily-installable scrypt module on PyPI.

PEP 466 is explicitly not blanket approval for backporting All The
Things to 2.7. The only justification for pbkdf2 in PEP 466 is to "lower
the barriers to secure password storage and checking in Python 2 server
applications". While scrypt is probably a bit better, applications using
pkbdf2 are still in a much better situation than ones using, e.g., a
naïve salted hash.

There is a self-contained, easily-installable scrypt module on PyPI.

History
Date	User	Action	Args
2016-09-07 17:01:57	benjamin.peterson	set	recipients: + benjamin.peterson, gregory.p.smith, christian.heimes, alex, python-dev, xiang.zhang
2016-09-07 17:01:57	benjamin.peterson	link	issue27928 messages
2016-09-07 17:01:57	benjamin.peterson	create