{ "info": { "author": "Martin Koistinen", "author_email": "mkoistinen@gmail.com", "bugtrack_url": null, "classifiers": [ "Development Status :: 5 - Production/Stable", "Environment :: Web Environment", "Framework :: Django", "Intended Audience :: Developers", "License :: OSI Approved :: BSD License", "Operating System :: OS Independent", "Programming Language :: Python", "Programming Language :: Python :: 2.7", "Topic :: Communications", "Topic :: Internet :: WWW/HTTP :: Dynamic Content" ], "description": "Hash Benchmark\n##############\n\nProvides a managment command that times the current Django project's\npassword hashing settings.\n\nThis is useful for comparing and optimizing hash settings for the\nrunning environment.\n\n\nHow to install\n==============\n\n* Install the package: ``pip install hash_benchmark``;\n* Add ``'hash_benchmark',`` to your INSTALLED_APPS in settings.py;\n\nOptional but **strongly** recommended:\n\n* ``pip install argon2_cffi``.\n\n\nHow to use\n==========\n\nInstall this package as per the above instructions in your project on\nhardware typical for your project's production environment.\n\nRun the management command with your current password hashing settings\nand take a note of the performance: ::\n\n # Tests hashing performance of your installations pbkdf2_sha256\n # algorithm with 100,000 iterations\n > python manage.py hash_password -i 100000\n\n Python: 2.7.10 (default, Jul 13 2015, 12:05:58) \n [GCC 4.2.1 Compatible Apple LLVM 6.1.0 (clang-602.0.53)]\n Django: 1.9.7\n Using \"pbkdf2_sha256\" w/parameters (100000), verification takes, on average, 0.0821s\n\nNow, decide if this \"work factor\" (average password verification\nduration) is appropriate for your project's needs. Your goal is to spend\nas much time hashing as possible and still have acceptable performance\nfor your users during password verification.\n\nImportant considerations for choosing the right work-level are:\n\n* Considerations for a higher work-factor:\n\n * Stronger protection of your hashed passwords against brute-\n force attacks, possibly requiring less frequent forced password\n change policies for your users\n\n* Considerations for a lower work-factor:\n\n * Faster log-ins for users;\n * Better site performance when many users are logging-in\n simultaneously;\n * Large work-factors can be exploited remotely to cause DDoS\n attacks on your site\n\nArmed with this management command, you can now make informed decisions\nabout the settings to use for PBKDF2_SHA256 and its\niterations parameter.\n\n\nSwitching to Argon2\n===================\n\nArgon2 is a newer password hashing algorithm that is supported in\nDjango 1.10 when the 3rd-party library `argon2_cffi` is installed\n(see above). Argon2 is designed to be more resilient to GPU-based\nbrute-force attacks.\n\nThe argon2_cffi implementation is already very fast due to the fact that\nit is implemented as a compile C-library and is multi-threaded. This\nalready makes it significantly faster than anything written in Python.\n\nCasual anecdotal evidence from the internet collated by this author in\nJan 2017 suggests that for the same duration of work (in seconds), a\nDjango installation configured to run Argon2 is estimated to be about\n1,500X more resilient than a SHA256-based algorithm against GPU-based\nbrute-force attacks.\n\n :Notice:\n \n Please do not make important decisions based on these figures, do\n your own research!\n\nIf Argon2 is right for your project, it is suggested that the\nparallelism parameter should be set to 2X the number of CPUs in your\nsystem. The memory_cost should be adapted to your environment. The\ndefault value is 1,536K bytes, which is reasonably small and should be\na safe value for almost any environment. A higher memory_cost value may\nprovide even better resilience against GPUs. The time_cost remains to\nbe set according to how long your project is willing to spend verifying\na password.\n\nFor more information read: https://argon2-cffi.readthedocs.io/en/stable/parameters.html", "description_content_type": null, "docs_url": null, "download_url": "UNKNOWN", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://github.com/mkoistinen/hash_benchmark", "keywords": null, "license": "LICENSE.txt", "maintainer": null, "maintainer_email": null, "name": "hash_benchmark", "package_url": "https://pypi.org/project/hash_benchmark/", "platform": "OS Independent", "project_url": "https://pypi.org/project/hash_benchmark/", "project_urls": { "Download": "UNKNOWN", "Homepage": "https://github.com/mkoistinen/hash_benchmark" }, "release_url": "https://pypi.org/project/hash_benchmark/0.2.0/", "requires_dist": null, "requires_python": null, "summary": "Simple management commands for benchmarking a Django project's hash settings", "version": "0.2.0" }, "last_serial": 2557848, "releases": { "0.2.0": [ { "comment_text": "", "digests": { "md5": "032162f214aa18c412fea678427c04df", "sha256": "7d46ddd8dc6c2ebba236f79c3fdc05fd8e1fe01fea039e898228c20e59f24d38" }, "downloads": -1, "filename": "hash_benchmark-0.2.0.tar.gz", "has_sig": false, "md5_digest": "032162f214aa18c412fea678427c04df", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 5990, "upload_time": "2017-01-06T14:57:14", "url": "https://files.pythonhosted.org/packages/a2/9b/9a8fe63371283d8c240c1d907633e9d94223ac762b7e0166a56be30e561c/hash_benchmark-0.2.0.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "032162f214aa18c412fea678427c04df", "sha256": "7d46ddd8dc6c2ebba236f79c3fdc05fd8e1fe01fea039e898228c20e59f24d38" }, "downloads": -1, "filename": "hash_benchmark-0.2.0.tar.gz", "has_sig": false, "md5_digest": "032162f214aa18c412fea678427c04df", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 5990, "upload_time": "2017-01-06T14:57:14", "url": "https://files.pythonhosted.org/packages/a2/9b/9a8fe63371283d8c240c1d907633e9d94223ac762b7e0166a56be30e561c/hash_benchmark-0.2.0.tar.gz" } ] }