PBKDF2 default iterations count history in Django

History of the default PBKDF2 iterations count in Django hasher module used for hashing user passwords:

2013-09-19 12000
2014-07-11 20000
2015-01-16 24000
2015-09-19 30000
2016-05-20 36000
2017-01-17 100000
2018-05-13 120000
2018-05-17 150000
2018-12-27 180000
2019-09-12 216000
2020-05-04 260000
2021-01-14 320000
2021-09-16 390000
2022-05-10 480000
2023-01-13 580000
2023-02-04 720000
2023-09-15 870000
2024-05-03 1_000_000
2024-12-13 1_200_000

You can get this exact output using fancy shell-Excel formula:

git log --date short -p --grep pbkdf2 -i django/contrib/auth/hashers.py \
| grep -E "Date:|\+.*iterations = [0-9]" \
| sed -E s/"^Date:\s+"//g \
| grep iterations -B 1 \
| sed s/"+ *iterations ="/""/g \
| grep -v "\-\-" \
| paste - - \
| sed -E s/"\s+"/" "/g \
| sort

(paste saved my life here)

Apparently current Django policy is to increase this value by around 20% per release: https://docs.djangoproject.com/en/dev/internals/howto-release-django/#a-few-days-before-a-feature-freeze.

By the way, for comparison, current OWASP recommendation seems to be standing at "600k or more" or, better yet, use Argon or scrypt, if you can: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html.