Skip to content

Commit

Permalink
Fixed #35428 -- Increased parallelism of the ScryptPasswordHasher.
Browse files Browse the repository at this point in the history
  • Loading branch information
JaeHyuckSa authored and sarahboyce committed May 17, 2024
1 parent 50852b2 commit 8f205ac
Show file tree
Hide file tree
Showing 3 changed files with 6 additions and 3 deletions.
2 changes: 1 addition & 1 deletion django/contrib/auth/hashers.py
Original file line number Diff line number Diff line change
Expand Up @@ -570,7 +570,7 @@ class ScryptPasswordHasher(BasePasswordHasher):
algorithm = "scrypt"
block_size = 8
maxmem = 0
parallelism = 1
parallelism = 5
work_factor = 2**14

def encode(self, password, salt, n=None, r=None, p=None):
Expand Down
3 changes: 3 additions & 0 deletions docs/releases/5.1.txt
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,9 @@ Minor features
* The default iteration count for the PBKDF2 password hasher is increased from
720,000 to 870,000.

* In order to follow OWASP recommendations, the default ``parallelism`` of the
``ScryptPasswordHasher`` is increased from 1 to 5.

* :class:`~django.contrib.auth.forms.BaseUserCreationForm` and
:class:`~django.contrib.auth.forms.AdminPasswordChangeForm` now support
disabling password-based authentication by setting an unusable password on
Expand Down
4 changes: 2 additions & 2 deletions tests/auth_tests/test_hashers.py
Original file line number Diff line number Diff line change
Expand Up @@ -650,8 +650,8 @@ def test_scrypt(self):
encoded = make_password("lètmein", "seasalt", "scrypt")
self.assertEqual(
encoded,
"scrypt$16384$seasalt$8$1$Qj3+9PPyRjSJIebHnG81TMjsqtaIGxNQG/aEB/NY"
"afTJ7tibgfYz71m0ldQESkXFRkdVCBhhY8mx7rQwite/Pw==",
"scrypt$16384$seasalt$8$5$ECMIUp+LMxMSK8xB/IVyba+KYGTI7FTnet025q/1f"
"/vBAVnnP3hdYqJuRi+mJn6ji6ze3Fbb7JEFPKGpuEf5vw==",
)
self.assertIs(is_password_usable(encoded), True)
self.assertIs(check_password("lètmein", encoded), True)
Expand Down

0 comments on commit 8f205ac

Please sign in to comment.