Opened 3 months ago

Closed 2 months ago

#35428 closed Cleanup/optimization (fixed)

ScryptPasswordHasher parallelism parameter is lower than the recommended in OWASP

Reported by: Natalia Bidart Owned by: Jae Hyuck Sa
Component: contrib.auth Version: dev
Severity: Normal Keywords: hashers iterations
Cc: Adam Johnson, Florian Apolloner Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Following this forum thread on password hashers iterations/parameters, it was agreed that the current parallelism parameter for ScryptPasswordHasher should be increased to 5. Alternatively we could switch to N=2^16 (64 MiB), r=8 (1024 bytes), p=2 or N=2^15 (32 MiB), r=8 (1024 bytes), p=3.

Source: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#scrypt

Change History (4)

comment:1 by Simon Charette, 3 months ago

Triage Stage: UnreviewedAccepted

comment:2 by Jae Hyuck Sa , 2 months ago

Has patch: set
Owner: changed from nobody to Jae Hyuck Sa
Status: newassigned

comment:3 by Sarah Boyce, 2 months ago

Triage Stage: AcceptedReady for checkin

comment:4 by Sarah Boyce <42296566+sarahboyce@…>, 2 months ago

Resolution: fixed
Status: assignedclosed

In 8f205ac:

Fixed #35428 -- Increased parallelism of the ScryptPasswordHasher.

Note: See TracTickets for help on using tickets.
Back to Top