#35428: ScryptPasswordHasher parallelism parameter is lower than the
recommended in
OWASP
-------------------------------------+-------------------------------------
Reporter: Natalia | Owner: nobody
Bidart |
Type: | Status: new
Cleanup/optimization |
Component: | Version: dev
contrib.auth |
Severity: Normal | Keywords: hashers iterations
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
Following this [https://forum.djangoproject.com/t/stop-increasing-default-
pbkdf2-iteration-count/25539/7 forum thread on password hashers
iterations/parameters], it was agreed that the current `parallelism`
parameter for `ScryptPasswordHasher` should be increased to 5.
Alternatively we could switch to `N=2^16 (64 MiB), r=8 (1024 bytes), p=2`
or `N=2^15 (32 MiB), r=8 (1024 bytes), p=3`.
Source:
https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#scrypt
--
Ticket URL: <https://code.djangoproject.com/ticket/35428>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/0107018f3fc8d0a5-cbfda310-4957-40c5-9d05-c5ba500cbbf7-000000%40eu-central-1.amazonses.com.
