Opened 5 years ago

Last modified 4 years ago

#31358 closed Cleanup/optimization

Increase default password salt size — at Initial Version

Reported by: Jon Moroney Owned by: nobody
Component: contrib.auth Version: dev
Severity: Normal Keywords:
Cc: Florian Apolloner Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

I've made a patch for this here
https://github.com/django/django/pull/12553
Which changes the default salt size from ~71 bits to ~131 bits

The rational is that modern guidance suggests a 128 bit minimum on salt sizes
OWASP: https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Password_Storage_Cheat_Sheet.md#salting
NIST: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-132.pdf

In the case of NIST this is technically a hard requirement.

Change History (0)

Note: See TracTickets for help on using tickets.
Back to Top