id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
25395	Add an optional dependency on python-fastpbkdf2	Terry Chia	nobody	"I maintain [https://github.com/Ayrx/python-fastpbkdf2 python-fastpbkdf2], a `hashlib.pbkdf2_hmac` compatible interface that's around 3 times faster on CPython and more than 10x faster on PyPy. 

This is the benchmark I use:

{{{
#!/usr/bin/bash

echo ""Benchmark hashlib...""
python -m timeit -n 100 -s ""from hashlib import pbkdf2_hmac"" ""pbkdf2_hmac('sha1', b'password', b'salt', 100000)""

echo ""Benchmark fastpbkdf2...""
python -m timeit -n 100 -s ""from fastpbkdf2 import pbkdf2_hmac"" ""pbkdf2_hmac('sha1', b'password', b'salt', 100000)""
}}}

On CPython 3.4.1, 

{{{
$ ./bench.sh
Benchmark hashlib...
100 loops, best of 3: 60.2 msec per loop
Benchmark fastpbkdf2...
100 loops, best of 3: 20.3 msec per loop
}}}

On PyPy 2.6.0:

{{{
$ ./bench.sh
Benchmark hashlib...
100 loops, best of 3: 242 msec per loop
Benchmark fastpbkdf2...
100 loops, best of 3: 19.2 msec per loop
}}}

A faster PBKDF2 implementation improves security because a higher work factor can be used for the same amount of computing power.

I propose adding an optional dependency on `python-fastpbkdf2` ala how Django depends on bcrypt and modifying the code to prefer `python-fastpbkdf2`'s implementation whenever it's available with a fallback on the current `hashlib.pbkdf2_hmac` and pure Python code.

If this idea seems favourable to the Django maintainers, I have a patch ready for review."	Cleanup/optimization	closed	contrib.auth	dev	Normal	needsinfo			Someday/Maybe	0	0	0	0	0	0