-
Notifications
You must be signed in to change notification settings - Fork 9.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider increasing the default iteration count for PBKDF2 to follow OWASP recommendation #55690
Closed
1 task done
Labels
area-identity
Includes: Identity and providers
Comments
dotnet-issue-labeler
bot
added
the
needs-area-label
Used by the dotnet-issue-labeler to label those issues which couldn't be triaged automatically
label
May 13, 2024
gfoidl
added
area-dataprotection
Includes: DataProtection
and removed
needs-area-label
Used by the dotnet-issue-labeler to label those issues which couldn't be triaged automatically
labels
May 13, 2024
adityamandaleeka
added
area-identity
Includes: Identity and providers
and removed
area-dataprotection
Includes: DataProtection
labels
May 13, 2024
@blowdart @GrabYourPitchforks What do you think about this suggestion? |
We've had this discussion internally and the result was "no". There's a balance here between response speed and security and while owasp's recommendation may be fine for desktop apps it adds too much of a delay for web apps. |
Thanks @blowdart! Closing this out then, since it doesn't look like we're going to make any changes here. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is there an existing issue for this?
Is your feature request related to a problem? Please describe the problem.
The default number of iterations in the
PasswordHasherOptions
is 100.000, which is lower than the value recommended by OWASP.Describe the solution you'd like
I am not a security expert, so I cannot assess whether the default of 100.00 is sufficient.
However, OWASP recommends 210.000 iterations (based on data from December 2022, which is quite dated).
The last change to this value was in .NET 7 in #40987, so I believe it should be reconsidered for .NET 9.
Alternatively, if 100.000 is still good enough, explaining the reasons in the documentation would be helpful.
Additional context
No response
The text was updated successfully, but these errors were encountered: