[4.2.x] Increased the default PBKDF2 iterations for Django 4.2.

See https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2.

Thanks Markus Holtermann for the report.
This commit is contained in:
Mariusz Felisiak 2023-02-04 13:36:06 +01:00 committed by GitHub
parent beaa5f31e1
commit 9a1848f48c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 6 additions and 6 deletions

View File

@ -296,7 +296,7 @@ class PBKDF2PasswordHasher(BasePasswordHasher):
"""
algorithm = "pbkdf2_sha256"
iterations = 480000
iterations = 600000
digest = hashlib.sha256
def encode(self, password, salt, iterations=None):

View File

@ -141,7 +141,7 @@ Minor features
~~~~~~~~~~~~~~~~~~~~~~~~~~
* The default iteration count for the PBKDF2 password hasher is increased from
390,000 to 480,000.
390,000 to 600,000.
* :class:`~django.contrib.auth.forms.UserCreationForm` now saves many-to-many
form fields for a custom user model.

View File

@ -84,7 +84,7 @@ class TestUtilsHashPass(SimpleTestCase):
encoded = make_password("lètmein", "seasalt", "pbkdf2_sha256")
self.assertEqual(
encoded,
"pbkdf2_sha256$480000$seasalt$G4ja8YRtfnNyEx4Ii2pbFMp/l8s4nnbMdJ+Fob/qNK8=",
"pbkdf2_sha256$600000$seasalt$OAXyhAQ/4ZDA9V5RMExt3C1OwQdUpLZ99vm1McFlLRA=",
)
self.assertTrue(is_password_usable(encoded))
self.assertTrue(check_password("lètmein", encoded))
@ -440,8 +440,8 @@ class TestUtilsHashPass(SimpleTestCase):
encoded = hasher.encode("lètmein", "seasalt2")
self.assertEqual(
encoded,
"pbkdf2_sha256$480000$seasalt2$WlORJKPl5w3Lubr7rYLOwSQCEOm4Or/NCA"
"aECnB1PE0=",
"pbkdf2_sha256$600000$seasalt2$OSllgFdJjYQjb0RfMzrx8u0XYl4Fkt+wKpI1yq4lZlo"
"=",
)
self.assertTrue(hasher.verify("lètmein", encoded))
@ -449,7 +449,7 @@ class TestUtilsHashPass(SimpleTestCase):
hasher = PBKDF2SHA1PasswordHasher()
encoded = hasher.encode("lètmein", "seasalt2")
self.assertEqual(
encoded, "pbkdf2_sha1$480000$seasalt2$qyT+EkK5g82hk2r+fRecFeoe28E="
encoded, "pbkdf2_sha1$600000$seasalt2$2CLsaL1MZhq6JOG6QOHtVbiopHE="
)
self.assertTrue(hasher.verify("lètmein", encoded))