rehashing in pbkdf2?

Skip to first unread message

Oct 27, 2013, 6:33:22 PM10/27/13
just saw the release note in django 1.5.5 
how about passlib?

Eli Collins

Oct 28, 2013, 12:41:26 PM10/28/13
Passlib has enforced a max-password-size limit since v1.6.0 (see, the section labeled "Password Size Limit").   Coincidentally, this defaults to 4096 characters the same as Django, though Passlib's can be configured via an environmental variable (see   That limit is enforced uniformly for all of passlib's hashers, because the structure of some their algorithms make it nearly impossible to prevent a DOS issue. So unlike Django, that limit probably won't ever be removed.

Regarding their other change... the development repo already has a similar pre-hashed-key optimization made to it's pbkdf2 implementation, which will be rolled out with the v1.7.   But I plan to go study Django's and a few others before the final release, to make sure there isn't any more speed I can wring out of it :)

- Eli

You received this message because you are subscribed to the Google Groups "passlib-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
For more options, visit

Oct 28, 2013, 3:27:14 PM10/28/13
i completely forgot that on the system where i've used passlib, in registration or login, the password is cut to 30 char!
sorry again :D
and always waiting for the newest passlib ;)
thank you again 
Reply all
Reply to author
0 new messages