[Django] #35428: ScryptPasswordHasher parallelism parameter is lower than the recommended in OWASP
9 views
Skip to first unread message
Django
May 3, 2024, 2:48:01 PMMay 3
to django-...@googlegroups.com
#35428: ScryptPasswordHasher parallelism parameter is lower than the recommended in
OWASP
-------------------------------------+-------------------------------------
Reporter: Natalia | Owner: nobody
Bidart |
Type: | Status: new
Cleanup/optimization |
Component: | Version: dev
contrib.auth |
Severity: Normal | Keywords: hashers iterations
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
Following this [https://forum.djangoproject.com/t/stop-increasing-default-
pbkdf2-iteration-count/25539/7 forum thread on password hashers
iterations/parameters], it was agreed that the current `parallelism`
parameter for `ScryptPasswordHasher` should be increased to 5.
Alternatively we could switch to `N=2^16 (64 MiB), r=8 (1024 bytes), p=2`
or `N=2^15 (32 MiB), r=8 (1024 bytes), p=3`.
Source:
https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#scrypt
--
Ticket URL: <https://code.djangoproject.com/ticket/35428>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
OWASP
-------------------------------------+-------------------------------------
Reporter: Natalia | Owner: nobody
Bidart |
Type: | Status: new
Cleanup/optimization |
Component: | Version: dev
contrib.auth |
Severity: Normal | Keywords: hashers iterations
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
Following this [https://forum.djangoproject.com/t/stop-increasing-default-
pbkdf2-iteration-count/25539/7 forum thread on password hashers
iterations/parameters], it was agreed that the current `parallelism`
parameter for `ScryptPasswordHasher` should be increased to 5.
Alternatively we could switch to `N=2^16 (64 MiB), r=8 (1024 bytes), p=2`
or `N=2^15 (32 MiB), r=8 (1024 bytes), p=3`.
Source:
https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#scrypt
--
Ticket URL: <https://code.djangoproject.com/ticket/35428>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
May 3, 2024, 5:29:25 PMMay 3
to django-...@googlegroups.com
#35428: ScryptPasswordHasher parallelism parameter is lower than the recommended in
OWASP
--------------------------------------+------------------------------------
OWASP
Reporter: Natalia Bidart | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: contrib.auth | Version: dev
Severity: Normal | Resolution:
Keywords: hashers iterations | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
Easy pickings: 0 | UI/UX: 0
Changes (by Simon Charette):
* stage: Unreviewed => Accepted
--
Ticket URL: <https://code.djangoproject.com/ticket/35428#comment:1>
Django
May 10, 2024, 4:10:00 PMMay 10
to django-...@googlegroups.com
#35428: ScryptPasswordHasher parallelism parameter is lower than the recommended in
OWASP
-------------------------------------+-------------------------------------
OWASP
Reporter: Natalia Bidart | Owner: Jae Hyuck
Type: | Sa
Cleanup/optimization | Status: assigned
Component: contrib.auth | Version: dev
Severity: Normal | Resolution:
Keywords: hashers iterations | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Severity: Normal | Resolution:
Keywords: hashers iterations | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Easy pickings: 0 | UI/UX: 0
Changes (by Jae Hyuck Sa ):
* has_patch: 0 => 1
* owner: nobody => Jae Hyuck Sa
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/35428#comment:2>
Django
May 16, 2024, 4:08:02 AMMay 16
to django-...@googlegroups.com
#35428: ScryptPasswordHasher parallelism parameter is lower than the recommended in
OWASP
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Jae Hyuck
Type: | Sa
Cleanup/optimization | Status: assigned
Component: contrib.auth | Version: dev
Severity: Normal | Resolution:
Keywords: hashers iterations | Triage Stage: Ready for
OWASP
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Jae Hyuck
Type: | Sa
Cleanup/optimization | Status: assigned
Component: contrib.auth | Version: dev
Severity: Normal | Resolution:
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Sarah Boyce):
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/35428#comment:3>
Django
May 17, 2024, 11:14:09 AMMay 17
to django-...@googlegroups.com
#35428: ScryptPasswordHasher parallelism parameter is lower than the recommended in
OWASP
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Jae Hyuck
Type: | Sa
Cleanup/optimization | Status: closed
OWASP
-------------------------------------+-------------------------------------
Reporter: Natalia Bidart | Owner: Jae Hyuck
Type: | Sa
Component: contrib.auth | Version: dev
Severity: Normal | Resolution: fixed
Keywords: hashers iterations | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Sarah Boyce <42296566+sarahboyce@…>):
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* resolution: => fixed
* status: assigned => closed
Comment:
In [changeset:"8f205acea94e93a463109e08814f78c09307f2b9" 8f205ac]:
{{{#!CommitTicketReference repository=""
revision="8f205acea94e93a463109e08814f78c09307f2b9"
Fixed #35428 -- Increased parallelism of the ScryptPasswordHasher.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/35428#comment:4>
Reply all
Reply to author
Forward
0 new messages