Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

pbkdf2_hmac takes a long time in django

I'm doing some profiling of a django rest framework API, and using a profiling middleware based on cProfile, I've got the following output:

Sat Mar  2 23:55:13 2019    /var/folders/jr/something
41224 function calls (40529 primitive calls) in 0.182 seconds

Ordered by: internal time

ncalls  tottime  percall  cumtime  percall filename:lineno(function)
    1    0.124    0.124    0.124    0.124 {built-in method _hashlib.pbkdf2_hmac}
   11    0.006    0.001    0.007    0.001 {method 'execute' of 'psycopg2.extensions.cursor' objects}
  252    0.003    0.000    0.003    0.000 {built-in method posix.stat}
   11    0.002    0.000    0.009    0.001 /Users/my-local-user/.pyenv/versions/3.7.0/lib/python3.7/traceback.py:312(extract)

Based on this, calling _hashlib.pbkdf2_hmac once takes almost 70% of my total execution time for a single request!

I haven't found a ton of information on this, except that it's used in openSSL - but I'm running locally without ssl.

Why is so much of my time being spent in a cryptographic function for a simple API request?

like image 525
Forest Kunecke Avatar asked Oct 20 '25 05:10

Forest Kunecke


1 Answers

pbkdf2 is used in Django for hashing passwords - storing them in a way not allowing to easily reproduce the original password. It is designed to run slow. It is by purpose hard to compute, so brute-forcing the original password takes a lot of time.

If you want to have profiling data without that slowness, you can tune down the number of iterations taken by this computation or you can switch to another, insecure hasher, even a dummy one. See Password management in Django for more details.

Remember to tune it down only for tests and profiling, because running it on low iterations count in a production environment is a security risk!

like image 123
GwynBleidD Avatar answered Oct 21 '25 20:10

GwynBleidD



Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!