[SECURITY] default to pbkdf2 with 320,000 iterations

(cherry picked from commit 3ea0b287d7)
2023-02-20 23:25:12 +01:00 · 2023-02-20 23:25:12 +01:00 · db8392a8ac
commit db8392a8ac
parent 1574643a6a
3 changed files with 7 additions and 7 deletions
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@ -476,8 +476,8 @@ INTERNAL_TOKEN=
 ;;Classes include "lower,upper,digit,spec"
 ;PASSWORD_COMPLEXITY = off
 ;;
-;; Password Hash algorithm, either "argon2", "pbkdf2", "scrypt" or "bcrypt"
-;PASSWORD_HASH_ALGO = pbkdf2
+;; Password Hash algorithm, either "argon2", "pbkdf2"/"pbkdf2_v2", "pbkdf2_hi", "scrypt" or "bcrypt"
+;PASSWORD_HASH_ALGO = pbkdf2_hi
 ;;
 ;; Set false to allow JavaScript to read CSRF cookie
 ;CSRF_COOKIE_HTTP_ONLY = true
--- a/modules/auth/password/hash/setting.go
+++ b/modules/auth/password/hash/setting.go
@ -10,7 +10,7 @@ package hash
 //
 // It will be dealiased as per aliasAlgorithmNames whereas
 // defaultEmptyHashAlgorithmSpecification does not undergo dealiasing.
-const DefaultHashAlgorithmName = "pbkdf2"
+const DefaultHashAlgorithmName = "pbkdf2_hi"

 var DefaultHashAlgorithm *PasswordHashAlgorithm

--- a/modules/auth/password/hash/setting_test.go
+++ b/modules/auth/password/hash/setting_test.go
@ -28,11 +28,11 @@ func TestCheckSettingPasswordHashAlgorithm(t *testing.T) {
 		})
 	}

-	t.Run("pbkdf2_v2 is the default when default password hash algorithm is empty", func(t *testing.T) {
+	t.Run("pbkdf2_hi is the default when default password hash algorithm is empty", func(t *testing.T) {
 		emptyConfig, emptyAlgo := SetDefaultPasswordHashAlgorithm("")
-		pbkdf2v2Config, pbkdf2v2Algo := SetDefaultPasswordHashAlgorithm("pbkdf2_v2")
+		pbkdf2hiConfig, pbkdf2hiAlgo := SetDefaultPasswordHashAlgorithm("pbkdf2_hi")

-		assert.Equal(t, pbkdf2v2Config, emptyConfig)
-		assert.Equal(t, pbkdf2v2Algo.Specification, emptyAlgo.Specification)
+		assert.Equal(t, pbkdf2hiConfig, emptyConfig)
+		assert.Equal(t, pbkdf2hiAlgo.Specification, emptyAlgo.Specification)
 	})
 }