The recommended minimums for PBKDF2, as per OWASP Cheat Sheet Series (https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html), are:
If FIPS-140 compliance is required, use PBKDF2 with a work factor of 310,000 or more and set with an internal hash function of HMAC-SHA-256.
Previous default configuration:
algorithm=SHA1, iterations=185000, hashLength=256
New default configuration:
algorithm=SHA256, iterations=310000, hashLength=256
The default salt length was also updated from 8 to 16.
Closes gh-10506, Closes gh-10489
The recommended minimums for scrypt, as per OWASP Cheat Sheet Series (https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html), are:
Use scrypt with a minimum CPU/memory cost parameter of (2^16), a minimum block size of 8 (1024 bytes), and a parallelization parameter of 1.
Previous default configuration:
cpuCost=16384, memoryCost=8, parallelism=1
New default configuration:
cpuCost=65536, memoryCost=8, parallelism=1
The default salt length was also updated from 64 to 16.
Issue gh-10506
The recommended minimums for Argon2, as per OWASP Cheat Sheet Series (https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html), are:
Use Argon2id with a minimum configuration of 15 MiB of memory, an iteration count of 2, and 1 degree of parallelism.
Previous default configuration:
memory=4, iterations=3, parallelism=1
New default configuration:
memory=16, iterations=2, parallelism=1
Issue gh-10506
Update AesBytesEncryptor constructors' javadoc to:
1. mention default IV length and encryption mode,
2. provide links to appropriate constructors that allow users to
specify custom IV and encryption mode.
Related to gh-3879 and gh-9361
Add constructors with a salt length input parameter.
Default salt length is still 8-byte long like before when
saltGenerator was initialized with call to
KeyGenerators#secureRandom() which use
SecureRandomBytesKeyGenerator#DEFAULT_KEY_LENGTH.
Closes gh-4372
Consistently use `assertThatExceptionOfType(...).isThrownBy(...)`
rather than `assertThatCode` or `assertThatThrownBy`. This aligns with
Spring Boot and Spring Cloud. It also allows the convenience
`assertThatIllegalArgument` and `assertThatIllegalState` methods to
be used.
Issue gh-8945
Remove all blank lines from test code so that test methods are
visually grouped together. This generally helps to make the test
classes easer to scan, however, the "given" / "when" / "then"
blocks used by some tests are now not as easy to discern.
Issue gh-8945
Marcus Hert Da Coregio
Tim te Beek
Krzysztof Krason
Joe Grandja
Rob Winch
Josh Cummings
Jihoon Cha
heowc
Eleftheria Stein
Prashant Tholia
Manousos Mathioudakis
Eleftheria Stein
Loic Guibert
Phillip Webb
uy-rrodriguez