Issue 2551252: Modify default rounds for password_pbkdf2_default_rounds to match OSWAP

classification

Title:	Modify default rounds for password_pbkdf2_default_rounds to match OSWAP
Type:	security	Severity:	normal
Components:	Web interface	Versions:

process

Status:	new	Resolution:
Dependencies		Superseder:
Assigned To:		Nosy List:	rouilj
Priority:		Keywords:	Blocker, Effort-Low, StarterTicket

Created on 2022-12-23 03:46 by rouilj, last changed 2022-12-23 03:46 by rouilj.

Messages
msg7699	Author: [hidden] (rouilj)	Date: 2022-12-23 03:46
We use sha1 along with PBKDF2. https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2 recommends 720,000 iterations not 10000. Change config default to 720,000. Changing the default will not invalidate existing passwords hashes. They will still be usable. Existing passwords will still retain the 10000 iteration number. Also because of issue 2551251, passwords will not be automatically re-encrypted when user logs in via web interface.

msg7699

Author: [hidden] (rouilj)

Date: 2022-12-23 03:46

We use sha1 along with PBKDF2.
 
   https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2

recommends 720,000 iterations not 10000.

Change config default to 720,000.

Changing the default will not invalidate existing passwords hashes. They will still
be usable.

Existing passwords will still retain the 10000 iteration number.
Also because of issue 2551251, passwords will not be automatically re-encrypted when user
logs in via web interface.

History
Date	User	Action	Args
2022-12-23 03:46:47	rouilj	create

Roundup Tracker - Issues

Issue 2551252