Changes between Initial Version and Version 1 of Ticket #21105, comment 4


Ignore:
Timestamp:
09/16/13 23:56:16 (2 years ago)
Author:
poswald
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #21105, comment 4

    initial v1  
    11The point of PBKDF-2 is key-streteching. That is, to make it at least some configurable difficulty level to calculate. It does this by passing multiple rounds of of a derivation function which is currently sha256. ( https://github.com/django/django/blob/master/django/utils/crypto.py#L136)
    22
    3 There are many places in this function that would be sensitive to input length (such as the force_bytes call) but I have two comments regarding that:
     3There are many places in this function that would be sensitive to input length (such as the force_bytes call) but I have some comments regarding that:
    44
    55- I'm not convinced we should be trying to make the hasher work in constant time given any input. Ideally, it's goal is to ensure a minimum time/memory/computational cost. I think maybe it would be better to have the caller responsible to prevent overly long input from going in.
Back to Top