[SECURITY] default to pbkdf2 with 320,000 iterations

(cherry picked from commit 3ea0b287d7)
(cherry picked from commit db8392a8ac)
(cherry picked from commit bd2a5fa292)
(cherry picked from commit 235a91c4ae)
(cherry picked from commit ec12e54182)
(cherry picked from commit d456d25d88)
(cherry picked from commit 4a332f73d1)
(cherry picked from commit d59b79a72c)
(cherry picked from commit 0ec0e97b3b)
(cherry picked from commit 9d51094c53)
This commit is contained in:
Loïc Dachary 2023-02-20 23:25:12 +01:00 committed by Earl Warren
parent 80ac107dc9
commit 3e917a5163
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00
3 changed files with 7 additions and 7 deletions

View file

@ -476,8 +476,8 @@ INTERNAL_TOKEN=
;;Classes include "lower,upper,digit,spec" ;;Classes include "lower,upper,digit,spec"
;PASSWORD_COMPLEXITY = off ;PASSWORD_COMPLEXITY = off
;; ;;
;; Password Hash algorithm, either "argon2", "pbkdf2", "scrypt" or "bcrypt" ;; Password Hash algorithm, either "argon2", "pbkdf2"/"pbkdf2_v2", "pbkdf2_hi", "scrypt" or "bcrypt"
;PASSWORD_HASH_ALGO = pbkdf2 ;PASSWORD_HASH_ALGO = pbkdf2_hi
;; ;;
;; Set false to allow JavaScript to read CSRF cookie ;; Set false to allow JavaScript to read CSRF cookie
;CSRF_COOKIE_HTTP_ONLY = true ;CSRF_COOKIE_HTTP_ONLY = true

View file

@ -10,7 +10,7 @@ package hash
// //
// It will be dealiased as per aliasAlgorithmNames whereas // It will be dealiased as per aliasAlgorithmNames whereas
// defaultEmptyHashAlgorithmSpecification does not undergo dealiasing. // defaultEmptyHashAlgorithmSpecification does not undergo dealiasing.
const DefaultHashAlgorithmName = "pbkdf2" const DefaultHashAlgorithmName = "pbkdf2_hi"
var DefaultHashAlgorithm *PasswordHashAlgorithm var DefaultHashAlgorithm *PasswordHashAlgorithm

View file

@ -28,11 +28,11 @@ func TestCheckSettingPasswordHashAlgorithm(t *testing.T) {
}) })
} }
t.Run("pbkdf2_v2 is the default when default password hash algorithm is empty", func(t *testing.T) { t.Run("pbkdf2_hi is the default when default password hash algorithm is empty", func(t *testing.T) {
emptyConfig, emptyAlgo := SetDefaultPasswordHashAlgorithm("") emptyConfig, emptyAlgo := SetDefaultPasswordHashAlgorithm("")
pbkdf2v2Config, pbkdf2v2Algo := SetDefaultPasswordHashAlgorithm("pbkdf2_v2") pbkdf2hiConfig, pbkdf2hiAlgo := SetDefaultPasswordHashAlgorithm("pbkdf2_hi")
assert.Equal(t, pbkdf2v2Config, emptyConfig) assert.Equal(t, pbkdf2hiConfig, emptyConfig)
assert.Equal(t, pbkdf2v2Algo.Specification, emptyAlgo.Specification) assert.Equal(t, pbkdf2hiAlgo.Specification, emptyAlgo.Specification)
}) })
} }