Changes between Initial Version and Version 1 of Ticket #21105, comment 4
- 09/16/2013 11:56:16 PM (4 years ago)
initial v1 1 1 The point of PBKDF-2 is key-streteching. That is, to make it at least some configurable difficulty level to calculate. It does this by passing multiple rounds of of a derivation function which is currently sha256. ( https://github.com/django/django/blob/master/django/utils/crypto.py#L136) 2 2 3 There are many places in this function that would be sensitive to input length (such as the force_bytes call) but I have twocomments regarding that: 3 There are many places in this function that would be sensitive to input length (such as the force_bytes call) but I have comments regarding that: 4 4 5 5 - I'm not convinced we should be trying to make the hasher work in constant time given any input. Ideally, it's goal is to ensure a minimum time/memory/computational cost. I think maybe it would be better to have the caller responsible to prevent overly long input from going in.