From ace0aa2a2793ba4a2b03e56c4ec375c5470edee8 Mon Sep 17 00:00:00 2001 From: "Gregory P. Smith" Date: Thu, 27 Jan 2022 12:18:28 -0800 Subject: bpo-42982: update pbkdf2 example & add another link (GH-30966) Automerge-Triggered-By: GH:gpshead --- Doc/library/hashlib.rst | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/Doc/library/hashlib.rst b/Doc/library/hashlib.rst index 269e8a8..aa24131 100644 --- a/Doc/library/hashlib.rst +++ b/Doc/library/hashlib.rst @@ -251,15 +251,17 @@ include a `salt `_. The number of *iterations* should be chosen based on the hash algorithm and computing power. As of 2022, hundreds of thousands of iterations of SHA-256 are suggested. For rationale as to why and how to choose what is best for - your application, read *Appendix A.2.2* of NIST-SP-800-132_. + your application, read *Appendix A.2.2* of NIST-SP-800-132_. The answers + on the `stackexchange pbkdf2 iterations question`_ explain in detail. *dklen* is the length of the derived key. If *dklen* is ``None`` then the digest size of the hash algorithm *hash_name* is used, e.g. 64 for SHA-512. - >>> import hashlib - >>> dk = hashlib.pbkdf2_hmac('sha256', b'password', b'salt', 100000) + >>> from hashlib import pbkdf2_hmac + >>> our_app_iters = 500_000 # Application specific, read above. + >>> dk = pbkdf2_hmac('sha256', b'password', b'bad salt'*2, our_app_iters) >>> dk.hex() - '0394a2ede332c9a13eb82e9b24631604c31df978b4e2f0fbd2c549944f9d79a5' + '15530bba69924174860db778f2c6f8104d3aaf9d26241840c8c4a641c8d000a9' .. versionadded:: 3.4 @@ -733,7 +735,7 @@ Domain Dedication 1.0 Universal: .. _ChaCha: https://cr.yp.to/chacha.html .. _pyblake2: https://pythonhosted.org/pyblake2/ .. _NIST-SP-800-132: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-132.pdf - +.. _stackexchange pbkdf2 iterations question: https://security.stackexchange.com/questions/3959/recommended-of-iterations-when-using-pbkdf2-sha256/ .. seealso:: -- cgit v0.12