issue2551252 - increase PBKFD2 default rounds to 2,000,000.

rouilj · rouilj · commit 5a1748472fad · 2023-02-23T19:17:42.000-05:00
Current https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2 for SHA1 recommends 1,300,000 so 2,000,000.
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -72,6 +72,8 @@ Fixed:
   HTTP headers to calling javascript.
 - issue2551257: When downloading an attached (user supplied file),
   make sure that an 'X-Content-Type-Options: nosniff' header is sent.
+- issue2551252 - default number of rounds for PKDF2 password increased
+  to 2,000,000.
 
 Features:
 
diff --git a/roundup/configuration.py b/roundup/configuration.py
@@ -1085,7 +1085,8 @@ def str2value(self, value):
             "starting with python 2.5. Set this to a higher value if you\n"
             "get the error 'Error: field larger than field limit' during\n"
             "import."),
-        (IntegerNumberGeqZeroOption, 'password_pbkdf2_default_rounds', '10000',
+        (IntegerNumberGeqZeroOption, 'password_pbkdf2_default_rounds',
+         '2000000',
             "Sets the default number of rounds used when encoding passwords\n"
             "using the PBKDF2 scheme. Set this to a higher value on faster\n"
             "systems which want more security.\n"
