bpo-42982: Improve the text on suggested number of iterations of PBKDF2 (GH-24276)

Less specific number wording (as there is no one right number - the old 100k is too big for some applications and woefully small for others). We now link to NIST SP 800-132 to tell people what to read in there on how to decide for their application.

Co-authored-by: Gregory P. Smith <greg@krypto.org> [Google]

Doc/library/hashlib.rst

@@ -249,8 +249,9 @@ include a `salt <https://en.wikipedia.org/wiki/Salt_%28cryptography%29>`_.
    a proper source, e.g. :func:`os.urandom`.
 
    The number of *iterations* should be chosen based on the hash algorithm and
-   computing power. As of 2013, at least 100,000 iterations of SHA-256 are
+   computing power. As of 2022, hundreds of thousands of iterations of SHA-256
-   suggested.
+   are suggested. For rationale as to why and how to choose what is best for
+   your application, read *Appendix A.2.2* of NIST-SP-800-132_.
 
    *dklen* is the length of the derived key. If *dklen* is ``None`` then the
    digest size of the hash algorithm *hash_name* is used, e.g. 64 for SHA-512.
@@ -731,6 +732,7 @@ Domain Dedication 1.0 Universal:
 .. _SHA-3: https://en.wikipedia.org/wiki/NIST_hash_function_competition
 .. _ChaCha: https://cr.yp.to/chacha.html
 .. _pyblake2: https://pythonhosted.org/pyblake2/
+.. _NIST-SP-800-132: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-132.pdf
 
 
 
@@ -754,3 +756,6 @@ Domain Dedication 1.0 Universal:
 
    https://www.ietf.org/rfc/rfc8018.txt
       PKCS #5: Password-Based Cryptography Specification Version 2.1
+
+   https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-132.pdf
+      NIST Recommendation for Password-Based Key Derivation.