I'm doing some profiling of a django rest framework API, and using a profiling middleware based on cProfile, I've got the following output:
Sat Mar 2 23:55:13 2019 /var/folders/jr/something
41224 function calls (40529 primitive calls) in 0.182 seconds
Ordered by: internal time
ncalls tottime percall cumtime percall filename:lineno(function)
1 0.124 0.124 0.124 0.124 {built-in method _hashlib.pbkdf2_hmac}
11 0.006 0.001 0.007 0.001 {method 'execute' of 'psycopg2.extensions.cursor' objects}
252 0.003 0.000 0.003 0.000 {built-in method posix.stat}
11 0.002 0.000 0.009 0.001 /Users/my-local-user/.pyenv/versions/3.7.0/lib/python3.7/traceback.py:312(extract)
Based on this, calling _hashlib.pbkdf2_hmac
once takes almost 70% of my total execution time for a single request!
I haven't found a ton of information on this, except that it's used in openSSL - but I'm running locally without ssl.
Why is so much of my time being spent in a cryptographic function for a simple API request?
pbkdf2
is used in Django for hashing passwords - storing them in a way not allowing to easily reproduce the original password. It is designed to run slow. It is by purpose hard to compute, so brute-forcing the original password takes a lot of time.
If you want to have profiling data without that slowness, you can tune down the number of iterations taken by this computation or you can switch to another, insecure hasher, even a dummy one. See Password management in Django for more details.
Remember to tune it down only for tests and profiling, because running it on low iterations count in a production environment is a security risk!
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With