Fixed #35428 -- Increased parallelism of the ScryptPasswordHasher.

2024-05-12 03:32:57 +09:00 · 2024-05-12 03:32:57 +09:00 · 8f205acea9
parent 50852b2c2c
commit 8f205acea9
3 changed files with 6 additions and 3 deletions
--- a/django/contrib/auth/hashers.py
+++ b/django/contrib/auth/hashers.py
@ -570,7 +570,7 @@ class ScryptPasswordHasher(BasePasswordHasher):
    algorithm = "scrypt"
    block_size = 8
    maxmem = 0
-    parallelism = 1
+    parallelism = 5
    work_factor = 2**14

    def encode(self, password, salt, n=None, r=None, p=None):
--- a/docs/releases/5.1.txt
+++ b/docs/releases/5.1.txt
@ -46,6 +46,9 @@ Minor features
 * The default iteration count for the PBKDF2 password hasher is increased from
  720,000 to 870,000.

+* In order to follow OWASP recommendations, the default ``parallelism`` of the
+  ``ScryptPasswordHasher`` is increased from 1 to 5.
+
 * :class:`~django.contrib.auth.forms.BaseUserCreationForm` and
  :class:`~django.contrib.auth.forms.AdminPasswordChangeForm` now support
  disabling password-based authentication by setting an unusable password on
--- a/tests/auth_tests/test_hashers.py
+++ b/tests/auth_tests/test_hashers.py
@ -650,8 +650,8 @@ class TestUtilsHashPassScrypt(SimpleTestCase):
        encoded = make_password("lètmein", "seasalt", "scrypt")
        self.assertEqual(
            encoded,
-            "scrypt$16384$seasalt$8$1$Qj3+9PPyRjSJIebHnG81TMjsqtaIGxNQG/aEB/NY"
-            "afTJ7tibgfYz71m0ldQESkXFRkdVCBhhY8mx7rQwite/Pw==",
+            "scrypt$16384$seasalt$8$5$ECMIUp+LMxMSK8xB/IVyba+KYGTI7FTnet025q/1f"
+            "/vBAVnnP3hdYqJuRi+mJn6ji6ze3Fbb7JEFPKGpuEf5vw==",
        )
        self.assertIs(is_password_usable(encoded), True)
        self.assertIs(check_password("lètmein", encoded), True)