hapi v13.0.0 is a tiny release with a single change to ensure passwords passed internally to the iron module are sufficiently long (a new minimum length of 32 characters). This release will simply assert if short passwords are passed. This is a critical verification as short password are easy to exploit with a brute force.
Thanks to @tomsteele for his help with this release.
The new requirement will cause invalid configurations to fail with an error that the password string is too short. This is a good thing - you want it to fail because if your password is indeed too short, you are at real risk of being exploited. Because the internal encryption mechanism uses the pbkdf2 algorithm with a single iteration to generate the keys, it is a pretty quick operation. Because the method is called on every incoming request, increasing the iteration count would have a linear negative impact on performance. To avoid that, a long password creates far too many possible password combination for an attacker to try in a timely manner.
The text was updated successfully, but these errors were encountered: