Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider increasing the default iteration count for PBKDF2 to follow OWASP recommendation #55690

Closed
1 task done
tomasherceg opened this issue May 13, 2024 · 3 comments
Closed
1 task done

Consider increasing the default iteration count for PBKDF2 to follow OWASP recommendation #55690

tomasherceg opened this issue May 13, 2024 · 3 comments
Labels
area-identity Includes: Identity and providers

Comments

@tomasherceg
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Is your feature request related to a problem? Please describe the problem.

The default number of iterations in the PasswordHasherOptions is 100.000, which is lower than the value recommended by OWASP.

Describe the solution you'd like

I am not a security expert, so I cannot assess whether the default of 100.00 is sufficient.
However, OWASP recommends 210.000 iterations (based on data from December 2022, which is quite dated).

The last change to this value was in .NET 7 in #40987, so I believe it should be reconsidered for .NET 9.
Alternatively, if 100.000 is still good enough, explaining the reasons in the documentation would be helpful.

Additional context

No response
@dotnet-issue-labeler dotnet-issue-labeler bot added the needs-area-label Used by the dotnet-issue-labeler to label those issues which couldn't be triaged automatically label May 13, 2024
@gfoidl gfoidl added area-dataprotection Includes: DataProtection and removed needs-area-label Used by the dotnet-issue-labeler to label those issues which couldn't be triaged automatically labels May 13, 2024
@adityamandaleeka adityamandaleeka added area-identity Includes: Identity and providers and removed area-dataprotection Includes: DataProtection labels May 13, 2024
@mkArtakMSFT mkArtakMSFT removed their assignment May 13, 2024
@MackinnonBuck
Copy link
Member

@blowdart @GrabYourPitchforks What do you think about this suggestion?

@blowdart
Copy link
Contributor

We've had this discussion internally and the result was "no".

There's a balance here between response speed and security and while owasp's recommendation may be fine for desktop apps it adds too much of a delay for web apps.

@MackinnonBuck
Copy link
Member

Thanks @blowdart!

Closing this out then, since it doesn't look like we're going to make any changes here.

@MackinnonBuck MackinnonBuck closed this as not planned Won't fix, can't repro, duplicate, stale May 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-identity Includes: Identity and providers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@adityamandaleeka @blowdart @tomasherceg @gfoidl @MackinnonBuck @mkArtakMSFT