Add an optional dependency on python-fastpbkdf2

[Terry Chia]

Greetings,

11 months ago, I opened a ticket (#25395) on the bug tracker about potentially adding a dependency on python-fastpbkdf2, a library I wrote and maintain that provides a faster implementation of PBKDF2 than the stdlib while maintaining API compatibility. Tim rightly pointed out that he was hesitant to add a dependency on a new library in a security-sensitive area and suggested that I write to this list to gather feedback. Sadly, I got really busy with work and neglected to follow up on it at that point in time. 

11 months later, I am hoping to open up the discussion again. In that time period, passlib has opted to add a optional dependency on the library [0], there has been a third party library that integrates python-fastpbkdf2 with Django[1] and having used it in a number of internal projects, it is definitely stable. I have a patch ready to go if the interest is there.

So Django developers, what do you think?

[0]: https://bitbucket.org/ecollins/passlib/issues/67/add-an-optional-dependency-on-python

[1]: https://github.com/smartfile/django-fastpbkdf2

[Aymeric Augustin]

Hello,

I’m +0 on adding support for this library. I also think it would be worth trying to integrate it in Python itself so we can rely on the stdlib for the faster version eventually.

-- 

Aymeric.

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To post to this group, send email to django-d...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/562b41c1-1e58-4af2-ab84-4fcf2026ac13%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Florian Apolloner]

What was the motivation for writing your own library instead of improving the version in python itself? Personally I do not see much gain, if you have to install a dependency, you could as well just install bcrypt or argon2 and ditch pbkdf2. For those people where it really makes a difference, a custom backend as you already have should be just fine.

[Florian Apolloner]

Ups, just realized that we use pbldf2 for more than just password hashing -- if that where not the case the multi-library approach like the bcrypt hasher uses would be preferred. That said, I would still prefer it if you got in contact with Christian Heimes from Python to push this into Python itself (or OpenSSL for that matter, didn't check the code).

[Alex Gaynor]

AFAIK upstream Python does use an optimized PBKDF2 (and OpenSSL 1.1.0 also has it).

Alex

--

You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.

To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscribe@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.

Visit this group at https://groups.google.com/group/django-developers.

To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/054efcdd-1c09-455a-ae7a-e0f8d36f8ba6%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

"I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero

GPG Key fingerprint: D1B3 ADC0 E023 8CA6

[Aymeric Augustin]

Well fastpbkdf2 claims a 3x improvement over what Python ships. See the timeit results in the README.

-- 

Aymeric.

To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To post to this group, send email to django-d...@googlegroups.com.

Visit this group at https://groups.google.com/group/django-developers.

To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAFRnB2XKCpQAKaneOY6QxPu0cJDDJpCUXy32-RRiHhunTBUc9g%40mail.gmail.com.

[Terry Chia]

@Florian: Getting this into core Python and/or OpenSSL is a possible option but that will not benefit users of older Pythons (and of course PyPy) of which there are many.

@Alex: The implementation I am binding it *much* faster than the one OpenSSL ships, even in 1.1.0 due to the strategies described in https://jbp.io/2015/08/11/pbkdf2-performance-matters/#strategies.

On Sunday, August 21, 2016 at 5:08:14 AM UTC+8, Aymeric Augustin wrote:

Well fastpbkdf2 claims a 3x improvement over what Python ships. See the timeit results in the README.

-- 

Aymeric.

On 20 Aug 2016, at 22:03, Alex Gaynor <alex....@gmail.com> wrote:

AFAIK upstream Python does use an optimized PBKDF2 (and OpenSSL 1.1.0 also has it).

Alex

On Sat, Aug 20, 2016 at 4:02 PM, Florian Apolloner <f.apo...@gmail.com> wrote:

Ups, just realized that we use pbldf2 for more than just password hashing -- if that where not the case the multi-library approach like the bcrypt hasher uses would be preferred. That said, I would still prefer it if you got in contact with Christian Heimes from Python to push this into Python itself (or OpenSSL for that matter, didn't check the code).

On Saturday, August 20, 2016 at 9:46:27 PM UTC+2, Florian Apolloner wrote:

What was the motivation for writing your own library instead of improving the version in python itself? Personally I do not see much gain, if you have to install a dependency, you could as well just install bcrypt or argon2 and ditch pbkdf2. For those people where it really makes a difference, a custom backend as you already have should be just fine.

On Saturday, August 20, 2016 at 1:53:21 PM UTC+2, Terry Chia wrote:

Greetings,

11 months ago, I opened a ticket (#25395) on the bug tracker about potentially adding a dependency on python-fastpbkdf2, a library I wrote and maintain that provides a faster implementation of PBKDF2 than the stdlib while maintaining API compatibility. Tim rightly pointed out that he was hesitant to add a dependency on a new library in a security-sensitive area and suggested that I write to this list to gather feedback. Sadly, I got really busy with work and neglected to follow up on it at that point in time. 

11 months later, I am hoping to open up the discussion again. In that time period, passlib has opted to add a optional dependency on the library [0], there has been a third party library that integrates python-fastpbkdf2 with Django[1] and having used it in a number of internal projects, it is definitely stable. I have a patch ready to go if the interest is there.

So Django developers, what do you think?

[0]: https://bitbucket.org/ecollins/passlib/issues/67/add-an-optional-dependency-on-python

[1]: https://github.com/smartfile/django-fastpbkdf2

--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.

To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To post to this group, send email to django-d...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.

To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/054efcdd-1c09-455a-ae7a-e0f8d36f8ba6%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

"I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero

GPG Key fingerprint: D1B3 ADC0 E023 8CA6

[Florian Apolloner]

On Sunday, August 21, 2016 at 5:05:59 AM UTC+2, Terry Chia wrote:

@Florian: Getting this into core Python and/or OpenSSL is a possible option but that will not benefit users of older Pythons (and of course PyPy) of which there are many.

Yeah, but I think that writing a faster implementation and adding it to Django, without pushing it upstream too in parallel is at least counterproductive in the long run. Especially having a ticket on python/openssl will get another set of eyes/reviews, even if it then takes them longer to ship.