This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author christian.heimes
Recipients april, christian.heimes, docs@python, illia-v, reaperhulk, rhettinger
Date 2022-01-25.15:56:53
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1643126213.37.0.177791051804.issue42982@roundup.psfhosted.org>
In-reply-to
Content 
You are arguing from the perspective of a Django/werkzeug developer and you are using experiential domain knowledge to argue for higher recommendation.

I'm asking for a scientific answer. Based on my experience 100k PBKDF2 HMAC-SHA256 rounds is already a DoS issue for some use cases. For other uses cases even 500k rounds is not the right answer, because the application should rather use a different algorithm all together.

If you are concerned about PBKDF2's strength, then better switch to Scrypt or Argon2. They are better suited against GPU-based crackers. PBKDF2 is still required for FIPS compliance, but most people can (and should!) ignore FIPS.
History
Date User Action Args
2022-01-25 15:56:53christian.heimessetrecipients: + christian.heimes, rhettinger, april, docs@python, reaperhulk, illia-v
2022-01-25 15:56:53christian.heimessetmessageid: <1643126213.37.0.177791051804.issue42982@roundup.psfhosted.org>
2022-01-25 15:56:53christian.heimeslinkissue42982 messages
2022-01-25 15:56:53christian.heimescreate