--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To post to this group, send email to django-d...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/a13898dc-5f34-4d3a-83f4-88dff82bdfb8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To post to this group, send email to django-d...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/1bddac0d-7c3d-4c3f-aeae-d954a19496a8%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To post to this group, send email to django-d...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/bd8df6d7-4355-427e-83b4-024482e2fdf0%40googlegroups.com.
But, to be consistent with Django 1.x going forward, let's define 36,000 iterations as "acceptable performance" for a Python2 with Django 1.11 install on a typical piece of server hardware today (beginning of 2017). A useful benchmark would be to determine how many iterations would yield the same delay on a Py3 + Django 1.11 install on the same server.
--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscribe@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/583ae294-7307-4db2-898a-7f6e558df904%40googlegroups.com.
But, to be consistent with Django 1.x going forward, let's define 36,000 iterations as "acceptable performance" for a Python2 with Django 1.11 install on a typical piece of server hardware today (beginning of 2017). A useful benchmark would be to determine how many iterations would yield the same delay on a Py3 + Django 1.11 install on the same server.That sounds like a sensible benchmark to see where we are at current. I think Django should be aiming for 100k+ as default at least to match the Python docs though. Let's not forget that users can tweak it down as well as up if they do have problems with the execution time.
Tobias McNulty
Chief Executive Officer
Python: 2.7.10 (default, Jul 13 2015, 12:05:58) [GCC 4.2.1 Compatible Apple LLVM 6.1.0 (clang-602.0.53)]
Django: 1.9.7
Using cipher: "pbkdf2_sha256" with 100,000 iterations, verification takes, on average, 0.0955s
Python: 3.5.1 (v3.5.1:37a07cee5969, Dec 5 2015, 21:12:44) [GCC 4.2.1 (Apple Inc. build 5666) (dot 3)]
Django: 1.10.3
Using cipher: "pbkdf2_sha256" with 100,000 iterations, verification takes, on average, 0.2751s
--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To post to this group, send email to django-d...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/8d383765-c41e-403c-9e85-09f31582f58f%40googlegroups.com.
--Aymeric.
To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscribe@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/8d383765-c41e-403c-9e85-09f31582f58f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscribe@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/15FEAB83-A9A4-4BC6-ABCB-D7BC04603E89%40polytechnique.org.
Here's an interesting tidbit from Alex Gaynor in 2014:It's worth noting that, if I'm understanding this correctly, there are two slow versions of pbkdf2 we have to worry about -- the one bundled in Django (https://github.com/django/django/blob/6732566967888f2c12efee1146940c85c0154e60/django/utils/crypto.py#L142, which is used pre-2.7.8 and pre-3.4 and claims to be 5x slower) and the Python fallback for pbkdf2_hmac (which I suppose is used if OpenSSL is unavailable (?) and claims to be 3x slower).Martin, is it possible your version of Python 3 is not linked against OpenSSL and hence is missing the fast version of pbkdf2_hmac? I haven't had a chance to try your benchmark yet, but in a quick test I don't see any difference between Python 3.5.2 and Python 2.7.12 on a Mac.Tobias
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMGFDKQYT_NsjBmOBPieKJnpK8z5TzQd4yvD5dYmubmfSNK6tw%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CADBkHdKiZEwzKMfOMOrQHTkSb3z9azDXgrwnQETANXDpvO4aYQ%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAFRnB2XVNB00fnnTxx%2Bhy4Bog4HKHz65CvH%2B9Hf6Chg3Gu1BFg%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAFRnB2XVNB00fnnTxx%2Bhy4Bog4HKHz65CvH%2B9Hf6Chg3Gu1BFg%40mail.gmail.com.
...
Row | python_version | download_count | |
1 | 3.5.2 | 75888 | |
2 | 2.7.12 | 65879 | |
3 | 2.7.6 | 63925 | |
4 | null | 56744 | |
5 | 2.7.9 | 40378 | |
6 | 2.7.10 | 25213 | |
7 | 3.4.3 | 23223 | |
8 | 2.7.13 | 20657 | |
9 | 2.7.5 | 17256 | |
--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscribe@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/568d57ba-81c3-4b52-9fd4-99f3c036b6bc%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscribe@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/1cac9870-7cc7-4392-ab98-08c0420b64ff%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscribe@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/9261dcdc-f3b2-458c-a6e1-bde49642c56b%40googlegroups.com.
IMO this doesn't change the argument that it would be best to default to the higher number of iterations (i.e., 100k or higher, given some time as passed since 2013), while noting in the documentation that individual projects have the ability to reduce it if need be (though perhaps recommending that they try first to find a faster Python). Other thoughts?
On Mon, Jan 9, 2017 at 10:44 PM, Martin Koistinen <mkois...@gmail.com> wrote:
The Python3.5 on my system was installed by the official Python installer, and is almost 3X slower than the Apple-built 2.7 install. I use pip all day long.True, my MacBook is not a server, but it still serves to demonstrate the point that it is not a reasonable assumption that all 3.5 installs use OpenSSL libraries.
On Monday, January 9, 2017 at 7:39:18 PM UTC-5, Tim Graham wrote:About "we cannot just assume that all Python 3 installs have a "fast" PBKDF2 implementation" -- I'd expect very few if any Django users to be compiling their own Python and doing so without OpenSSL. I'm guessing that any operating system Python will have the OpenSSL bindings. Or is that a bad assumption?
On Wednesday, January 4, 2017 at 2:13:09 PM UTC-5, Martin Koistinen wrote:I think this is a pretty solid guess. Bear in mind this was a direct install from Python.org.The important thing here is, this demonstrates that we cannot just assume that all Python 3 installs have a "fast" PBKDF2 implementation =/
On Wednesday, January 4, 2017 at 11:33:17 AM UTC-5, Tobias McNulty wrote:...Martin, is it possible your version of Python 3 is not linked against OpenSSL and hence is missing the fast version of pbkdf2_hmac? I haven't had a chance to try your benchmark yet, but in a quick test I don't see any difference between Python 3.5.2 and Python 2.7.12 on a Mac.Tobias
--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To post to this group, send email to django-d...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/9261dcdc-f3b2-458c-a6e1-bde49642c56b%40googlegroups.com.
To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscribe@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/34fc63bf-9eff-4ecb-a931-3f25d69faddf%40googlegroups.com.
I'm not sure the DoS concern is really something that can be addressed here. Regardless of the number of iterations we choose, POSTing to the login form will always be a target, unless it's appropriately protected (i.e., with some combination of rate limiting, recaptcha, and/or something at the network level). A run-of-the-mill cloud server that doesn't limit access to the Python app in some way is simply never going to be a match for a malicious person with a laptop, let alone a more sophisticated attack.I created a tox.ini to run Martin's benchmark with multiple Django & Python versions. A couple notes:
- I ran this several times on Circle CI using Ubuntu 12.04 with Python 2.7.7, 3.3.3, 3.4.3, and 3.5.0, and Ubuntu 14.04 with 2.7.12, 3.3.6, 3.4.4, and 3.5.2. To view the results, expand the "tox" section under the "Test" header.
- All results are what one would expect: Python 2.7.7 and Python 3.3.x are ~3-4x slower than Python 2.7.8+ and Python 3.4+, and there are no inexplicably slow outliers, like the official Python 3.5.2 installer for OS X.
My local results are as follows:
- Ubuntu 16.04 w/a Core i5 @ 3.50GHz:
- 62-65ms for 100,000 iterations
- 100-106ms for 165,000 iterations
- Mac OS 10.12, Core i5 @ 2.7GHz:
- 117-120ms for 100,000 iterations
- 195-203ms for 165,000 iterations
I really don't know how we can pick a number that'll work for everyone, but I'm all for setting it high and allowing people to decrease the number of iterations or, better yet, switch to the hasher that the docs recommend everyone use anyway (Argon2). If we define 100-120ms as acceptable performance, 100k would seem reasonable based on the results above and posted elsewhere in this thread.Martin, FWIW, I can confirm that the Python 3.5.2 installer from python.org demonstrates the same 3x slower behavior on my Mac that you saw. The Python 3.5.2 I installed from Homebrew does not, nor does the official python.org installer for Python 3.6. Based on the absence of any similar outliers in the above tests, however, I still think the conclusion here should be to fix the underlying Python build (if it's really creating a performance issue for you or anyone else), not hold back Django from bumping its default number of PBKDF2 iterations. Dropping Python 2.7 support still means we lose a large swath of definitely-slow PBKDF2 implementations: 24.4% of installs where the Python version was known were using 2.7.5 or 2.7.6 in the chart Alex posted.The point about switching Django's default to Argon2 is an intriguing one. In the event there are still a bunch of slow PBKDF2 implementations out there with Python 3.5+, one benefit of dramatically increasing PBKDF2 iterations is that it might push more people to Argon2. :-D On a more serious note, I'll reply separately to that thread to save this one for the original topic.
Tobias
Also, if a developer is experienced/motivated enough to lower the hash iterations, s/he'll be more likely to also be experienced/motivated enough to put other controls in place to compensate.