Issue 2551252
Created on 2022-12-23 03:46 by rouilj, last changed 2023-02-24 00:21 by rouilj.
msg7699 |
Author: [hidden] (rouilj) |
Date: 2022-12-23 03:46 |
|
We use sha1 along with PBKDF2.
https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2
recommends 720,000 iterations not 10000.
Change config default to 720,000.
Changing the default will not invalidate existing passwords hashes. They will still
be usable.
Existing passwords will still retain the 10000 iteration number.
Also because of issue 2551251, passwords will not be automatically re-encrypted when user
logs in via web interface.
|
msg7732 |
Author: [hidden] (rouilj) |
Date: 2023-02-24 00:21 |
|
Current cheetsheet recommends 1,300,000 for SHA1, so I changed it to 2,000,000.
With SH512 replacing SHA1 , I only need 210,000 rounds.
Fixed in rev be7849588372.
|
|
Date |
User |
Action |
Args |
2023-02-24 00:21:29 | rouilj | set | priority: high assignee: rouilj messages:
+ msg7732 status: new -> fixed resolution: fixed |
2022-12-23 03:46:47 | rouilj | create | |
|