Opened 7 months ago
Closed 6 months ago
#35428 closed Cleanup/optimization (fixed)
ScryptPasswordHasher parallelism parameter is lower than the recommended in OWASP
| Reported by: | Natalia Bidart | Owned by: | Jae Hyuck Sa |
|---|---|---|---|
| Component: | contrib.auth | Version: | dev |
| Severity: | Normal | Keywords: | hashers iterations |
| Cc: | Adam Johnson, Florian Apolloner | Triage Stage: | Ready for checkin |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Following this forum thread on password hashers iterations/parameters, it was agreed that the current parallelism parameter for ScryptPasswordHasher should be increased to 5. Alternatively we could switch to N=2^16 (64 MiB), r=8 (1024 bytes), p=2 or N=2^15 (32 MiB), r=8 (1024 bytes), p=3.
Source: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#scrypt
Change History (4)
comment:1 by , 7 months ago
| Triage Stage: | Unreviewed → Accepted |
|---|
comment:2 by , 6 months ago
| Has patch: | set |
|---|---|
| Owner: | changed from to |
| Status: | new → assigned |
comment:3 by , 6 months ago
| Triage Stage: | Accepted → Ready for checkin |
|---|
comment:4 by , 6 months ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Note:
See TracTickets
for help on using tickets.
In 8f205ac: