Fixed #35428 -- Increased parallelism of the ScryptPasswordHasher.

django · May 16, 2024 · 91bfc38 · 91bfc38
1 parent 34f329e
commit 91bfc38
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 3 deletions.
diff --git a/django/contrib/auth/hashers.py b/django/contrib/auth/hashers.py
@@ -570,7 +570,7 @@ class ScryptPasswordHasher(BasePasswordHasher):
     algorithm = "scrypt"
     block_size = 8
     maxmem = 0
-    parallelism = 1
+    parallelism = 5
     work_factor = 2**14
 
     def encode(self, password, salt, n=None, r=None, p=None):

diff --git a/docs/releases/5.1.txt b/docs/releases/5.1.txt
@@ -46,6 +46,9 @@ Minor features
 * The default iteration count for the PBKDF2 password hasher is increased from
   720,000 to 870,000.
 
+* In order to follow OWASP recommendations, the default ``parallelism`` of the
+  ``ScryptPasswordHasher`` is increased from 1 to 5.
+
 * :class:`~django.contrib.auth.forms.BaseUserCreationForm` and
   :class:`~django.contrib.auth.forms.AdminPasswordChangeForm` now support
   disabling password-based authentication by setting an unusable password on

diff --git a/tests/auth_tests/test_hashers.py b/tests/auth_tests/test_hashers.py
@@ -650,8 +650,8 @@ def test_scrypt(self):
         encoded = make_password("lètmein", "seasalt", "scrypt")
         self.assertEqual(
             encoded,
-            "scrypt$16384$seasalt$8$1$Qj3+9PPyRjSJIebHnG81TMjsqtaIGxNQG/aEB/NY"
-            "afTJ7tibgfYz71m0ldQESkXFRkdVCBhhY8mx7rQwite/Pw==",
+            "scrypt$16384$seasalt$8$5$ECMIUp+LMxMSK8xB/IVyba+KYGTI7FTnet025q/1f"
+            "/vBAVnnP3hdYqJuRi+mJn6ji6ze3Fbb7JEFPKGpuEf5vw==",
         )
         self.assertIs(is_password_usable(encoded), True)
         self.assertIs(check_password("lètmein", encoded), True)