#25395 closed Cleanup/optimization (needsinfo)
Add an optional dependency on python-fastpbkdf2
| Reported by: | Terry Chia | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.auth | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Someday/Maybe | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
I maintain python-fastpbkdf2, a hashlib.pbkdf2_hmac compatible interface that's around 3 times faster on CPython and more than 10x faster on PyPy.
This is the benchmark I use:
#!/usr/bin/bash
echo "Benchmark hashlib..."
python -m timeit -n 100 -s "from hashlib import pbkdf2_hmac" "pbkdf2_hmac('sha1', b'password', b'salt', 100000)"
echo "Benchmark fastpbkdf2..."
python -m timeit -n 100 -s "from fastpbkdf2 import pbkdf2_hmac" "pbkdf2_hmac('sha1', b'password', b'salt', 100000)"
On CPython 3.4.1,
$ ./bench.sh Benchmark hashlib... 100 loops, best of 3: 60.2 msec per loop Benchmark fastpbkdf2... 100 loops, best of 3: 20.3 msec per loop
On PyPy 2.6.0:
$ ./bench.sh Benchmark hashlib... 100 loops, best of 3: 242 msec per loop Benchmark fastpbkdf2... 100 loops, best of 3: 19.2 msec per loop
A faster PBKDF2 implementation improves security because a higher work factor can be used for the same amount of computing power.
I propose adding an optional dependency on python-fastpbkdf2 ala how Django depends on bcrypt and modifying the code to prefer python-fastpbkdf2's implementation whenever it's available with a fallback on the current hashlib.pbkdf2_hmac and pure Python code.
If this idea seems favourable to the Django maintainers, I have a patch ready for review.
Change History (5)
follow-up: 2 comment:1 by , 9 years ago
| Has patch: | unset |
|---|
comment:2 by , 9 years ago
Replying to timgraham:
Are your improvements suitable for inclusion in Python itself? It seems better to pursue that course of action to me. My initial reaction is reluctance to add a dependency in a security sensitive area, especially for a project which is only 1 month old. You can write to the DevelopersMailingList to get more feedback.
I'm not sure if it's suitable for inclusions into Python itself as I'm not a core dev. Even if it is, it won't benefit Python 2.7 or PyPy users (who gains the most from this library).
I understand the hesitation to add a dependency on a new project. If it's any help, I take test coverage very seriously and the project is currently at 100% coverage and are tested against the standard PBKDF2 vectors. The bindings rely on CFFI which is what the bcrypt dependency also currently using. The C library itself about 400 or so lines of pretty readable C if anyone would like to review it.
I'll write to the list seeking further feedback in a few days.
comment:3 by , 9 years ago
| Triage Stage: | Unreviewed → Someday/Maybe |
|---|
comment:4 by , 9 years ago
| Resolution: | → needsinfo |
|---|---|
| Status: | new → closed |
I think the follow up on the mailing list hasn't happened yet.
Are your improvements suitable for inclusion in Python itself? It seems better to pursue that course of action to me. My initial reaction is reluctance to add a dependency in a security sensitive area, especially for a project which is only 1 month old. You can write to the DevelopersMailingList to get more feedback.