#35428: ScryptPasswordHasher parallelism parameter is lower than the recommended in
OWASP
-------------------------------------+-------------------------------------
Reporter: Natalia | Owner: nobody
Bidart |
Type: | Status: new
Cleanup/optimization |
Component: | Version: dev
contrib.auth |
Severity: Normal | Keywords: hashers iterations
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
Following this [
https://forum.djangoproject.com/t/stop-increasing-default-
pbkdf2-iteration-count/25539/7 forum thread on password hashers
iterations/parameters], it was agreed that the current `parallelism`
parameter for `ScryptPasswordHasher` should be increased to 5.
Alternatively we could switch to `N=2^16 (64 MiB), r=8 (1024 bytes), p=2`
or `N=2^15 (32 MiB), r=8 (1024 bytes), p=3`.
Source:
https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#scrypt
--
Ticket URL: <
https://code.djangoproject.com/ticket/35428>
Django <
https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.