Message411623
NIST provides no official guidance on iteration count other than NIST SP 800-132 Appendix A.2.2, which states "The number of iterations should be set as high as can be tolerated for the environment, while maintaining acceptable performance."
I can think of no better resource for what constitutes acceptable performance at the highest iteration count than popular packages like Django. Django's choice (and lack of evidence that they've had any cause to revert due to performance issues) argues that 390k iterations is a reasonable number in 2022. Certainly the 100k suggested in these docs as of 2013 is no longer best practice as we've seen 9 years of computational improvement in the intervening time.
I would, additionally, suggest that the documentation recommend the use of scrypt where possible over any iteration count of PBKDF2, but increasing the iteration count is still a useful improvement to the docs! |
|
Date |
User |
Action |
Args |
2022-01-25 15:46:07 | reaperhulk | set | recipients:
+ reaperhulk, rhettinger, april, christian.heimes, docs@python, illia-v |
2022-01-25 15:46:07 | reaperhulk | set | messageid: <1643125567.65.0.712018535329.issue42982@roundup.psfhosted.org> |
2022-01-25 15:46:07 | reaperhulk | link | issue42982 messages |
2022-01-25 15:46:07 | reaperhulk | create | |
|