From 8f205acea94e93a463109e08814f78c09307f2b9 Mon Sep 17 00:00:00 2001 From: SaJH Date: Sun, 12 May 2024 03:32:57 +0900 Subject: [PATCH] Fixed #35428 -- Increased parallelism of the ScryptPasswordHasher. --- django/contrib/auth/hashers.py | 2 +- docs/releases/5.1.txt | 3 +++ tests/auth_tests/test_hashers.py | 4 ++-- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/django/contrib/auth/hashers.py b/django/contrib/auth/hashers.py index e23ae6243ec6..b53974756119 100644 --- a/django/contrib/auth/hashers.py +++ b/django/contrib/auth/hashers.py @@ -570,7 +570,7 @@ class ScryptPasswordHasher(BasePasswordHasher): algorithm = "scrypt" block_size = 8 maxmem = 0 - parallelism = 1 + parallelism = 5 work_factor = 2**14 def encode(self, password, salt, n=None, r=None, p=None): diff --git a/docs/releases/5.1.txt b/docs/releases/5.1.txt index d60ccb973094..2def385f9870 100644 --- a/docs/releases/5.1.txt +++ b/docs/releases/5.1.txt @@ -46,6 +46,9 @@ Minor features * The default iteration count for the PBKDF2 password hasher is increased from 720,000 to 870,000. +* In order to follow OWASP recommendations, the default ``parallelism`` of the + ``ScryptPasswordHasher`` is increased from 1 to 5. + * :class:`~django.contrib.auth.forms.BaseUserCreationForm` and :class:`~django.contrib.auth.forms.AdminPasswordChangeForm` now support disabling password-based authentication by setting an unusable password on diff --git a/tests/auth_tests/test_hashers.py b/tests/auth_tests/test_hashers.py index 1b0d2c65be4b..bec298cc3a00 100644 --- a/tests/auth_tests/test_hashers.py +++ b/tests/auth_tests/test_hashers.py @@ -650,8 +650,8 @@ def test_scrypt(self): encoded = make_password("lètmein", "seasalt", "scrypt") self.assertEqual( encoded, - "scrypt$16384$seasalt$8$1$Qj3+9PPyRjSJIebHnG81TMjsqtaIGxNQG/aEB/NY" - "afTJ7tibgfYz71m0ldQESkXFRkdVCBhhY8mx7rQwite/Pw==", + "scrypt$16384$seasalt$8$5$ECMIUp+LMxMSK8xB/IVyba+KYGTI7FTnet025q/1f" + "/vBAVnnP3hdYqJuRi+mJn6ji6ze3Fbb7JEFPKGpuEf5vw==", ) self.assertIs(is_password_usable(encoded), True) self.assertIs(check_password("lètmein", encoded), True)