Slightly off-topic, this presents a really nice case for switching to Argon2 via argon2_cffi (supported in Django 1.10+). Its super fast (C-lib) and resistant to GPU/ASIC brute-forcing. So, where as an attacker's 8-GPU hashing machine would probably have something on the order of 24,000X more hashing capability for SHA256 than a typical Django server, I estimate that the same hardware (8 GPUs) would only have about 20-30X more hashing capability than a typical server. (Note, the anecdotal evidence across the internet supporting this is pretty thin).
Tobias McNulty
Chief Executive Officer
I think adding argon2_cffi to extra_requires could be a good idea, so that users can pip install Django[argon2_cffi].