Message411624
You are arguing from the perspective of a Django/werkzeug developer and you are using experiential domain knowledge to argue for higher recommendation.
I'm asking for a scientific answer. Based on my experience 100k PBKDF2 HMAC-SHA256 rounds is already a DoS issue for some use cases. For other uses cases even 500k rounds is not the right answer, because the application should rather use a different algorithm all together.
If you are concerned about PBKDF2's strength, then better switch to Scrypt or Argon2. They are better suited against GPU-based crackers. PBKDF2 is still required for FIPS compliance, but most people can (and should!) ignore FIPS. |
|
Date |
User |
Action |
Args |
2022-01-25 15:56:53 | christian.heimes | set | recipients:
+ christian.heimes, rhettinger, april, docs@python, reaperhulk, illia-v |
2022-01-25 15:56:53 | christian.heimes | set | messageid: <1643126213.37.0.177791051804.issue42982@roundup.psfhosted.org> |
2022-01-25 15:56:53 | christian.heimes | link | issue42982 messages |
2022-01-25 15:56:53 | christian.heimes | create | |
|