From 91bfc38d91218a342458e62f96bc64f951bb7e4a Mon Sep 17 00:00:00 2001
From: SaJH <wogur981208@gmail.com>
Date: Sun, 12 May 2024 03:32:57 +0900
Subject: [PATCH] Fixed #35428 -- Increased parallelism of the
 ScryptPasswordHasher.

---
 django/contrib/auth/hashers.py   | 2 +-
 docs/releases/5.1.txt            | 3 +++
 tests/auth_tests/test_hashers.py | 4 ++--
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/django/contrib/auth/hashers.py b/django/contrib/auth/hashers.py
index e23ae6243ec6..b53974756119 100644
--- a/django/contrib/auth/hashers.py
+++ b/django/contrib/auth/hashers.py
@@ -570,7 +570,7 @@ class ScryptPasswordHasher(BasePasswordHasher):
     algorithm = "scrypt"
     block_size = 8
     maxmem = 0
-    parallelism = 1
+    parallelism = 5
     work_factor = 2**14
 
     def encode(self, password, salt, n=None, r=None, p=None):
diff --git a/docs/releases/5.1.txt b/docs/releases/5.1.txt
index f2a6bccb0c4d..311b38330807 100644
--- a/docs/releases/5.1.txt
+++ b/docs/releases/5.1.txt
@@ -46,6 +46,9 @@ Minor features
 * The default iteration count for the PBKDF2 password hasher is increased from
   720,000 to 870,000.
 
+* In order to follow OWASP recommendations, the default ``parallelism`` of the
+  ``ScryptPasswordHasher`` is increased from 1 to 5.
+
 * :class:`~django.contrib.auth.forms.BaseUserCreationForm` and
   :class:`~django.contrib.auth.forms.AdminPasswordChangeForm` now support
   disabling password-based authentication by setting an unusable password on
diff --git a/tests/auth_tests/test_hashers.py b/tests/auth_tests/test_hashers.py
index 1b0d2c65be4b..bec298cc3a00 100644
--- a/tests/auth_tests/test_hashers.py
+++ b/tests/auth_tests/test_hashers.py
@@ -650,8 +650,8 @@ def test_scrypt(self):
         encoded = make_password("lètmein", "seasalt", "scrypt")
         self.assertEqual(
             encoded,
-            "scrypt$16384$seasalt$8$1$Qj3+9PPyRjSJIebHnG81TMjsqtaIGxNQG/aEB/NY"
-            "afTJ7tibgfYz71m0ldQESkXFRkdVCBhhY8mx7rQwite/Pw==",
+            "scrypt$16384$seasalt$8$5$ECMIUp+LMxMSK8xB/IVyba+KYGTI7FTnet025q/1f"
+            "/vBAVnnP3hdYqJuRi+mJn6ji6ze3Fbb7JEFPKGpuEf5vw==",
         )
         self.assertIs(is_password_usable(encoded), True)
         self.assertIs(check_password("lètmein", encoded), True)