Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enhance generation of password hashes #1935

Merged
merged 1 commit into from Oct 14, 2020

Conversation

illia-v
Copy link
Contributor

@illia-v illia-v commented Oct 9, 2020

No description provided.

@davidism
Copy link
Member

davidism commented Oct 9, 2020

How did you arrive at the new value of 26000 rounds? What is the reasoning behind increasing the salt length, and why 16?

@illia-v
Copy link
Contributor Author

illia-v commented Oct 9, 2020

How did you arrive at the new value of 26000 rounds? What is the reasoning behind increasing the salt length, and why 16?

I am sorry for not specifying this in the description of the PR, I added reasons to description of the commits.

We increased the number of iterations last time two years ago and got it from Django (#1377). This time the number is the same as Django uses too (django/django@2185007).

16 characters are recommended by OWASP: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#salting.

@davidism
Copy link
Member

davidism commented Oct 9, 2020

OK, thanks. Don't worry about the test failure, I need to investigate that separately.

Increase the number of PBKDF2 iterations to 260000. Matches Django's latest value:
django/django@2185007

Increase salt length to 16 characters following an OWASP recommendation:
https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#salting

Use the secrets module for generating the salt:
https://docs.python.org/3/library/secrets.html#recipes-and-best-practices
@davidism davidism force-pushed the password-generation-enhancements branch from f87443c to 7729a62 Compare October 14, 2020 16:42
@davidism davidism added this to the 2.0.0 milestone Oct 14, 2020
@davidism davidism merged commit e89c0f8 into pallets:master Oct 14, 2020
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 13, 2020
@illia-v illia-v deleted the password-generation-enhancements branch March 4, 2023 09:13
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants