Opened 7 months ago
Closed 6 months ago
#35428 closed Cleanup/optimization (fixed)
ScryptPasswordHasher parallelism parameter is lower than the recommended in OWASP
Reported by: | Natalia Bidart | Owned by: | Jae Hyuck Sa |
---|---|---|---|
Component: | contrib.auth | Version: | dev |
Severity: | Normal | Keywords: | hashers iterations |
Cc: | Adam Johnson, Florian Apolloner | Triage Stage: | Ready for checkin |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Following this forum thread on password hashers iterations/parameters, it was agreed that the current parallelism
parameter for ScryptPasswordHasher
should be increased to 5. Alternatively we could switch to N=2^16 (64 MiB), r=8 (1024 bytes), p=2
or N=2^15 (32 MiB), r=8 (1024 bytes), p=3
.
Source: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#scrypt
Change History (4)
comment:1 by , 7 months ago
Triage Stage: | Unreviewed → Accepted |
---|
comment:2 by , 7 months ago
Has patch: | set |
---|---|
Owner: | changed from | to
Status: | new → assigned |
comment:3 by , 6 months ago
Triage Stage: | Accepted → Ready for checkin |
---|
comment:4 by , 6 months ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
Note:
See TracTickets
for help on using tickets.
In 8f205ac: