spring-security

History

Joe Grandja c50441b59f Update default configuration for Pbkdf2PasswordEncoder The recommended minimums for PBKDF2, as per OWASP Cheat Sheet Series (https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html), are: If FIPS-140 compliance is required, use PBKDF2 with a work factor of 310,000 or more and set with an internal hash function of HMAC-SHA-256. Previous default configuration: algorithm=SHA1, iterations=185000, hashLength=256 New default configuration: algorithm=SHA256, iterations=310000, hashLength=256 The default salt length was also updated from 8 to 16. Closes gh-10506, Closes gh-10489	2022-10-12 00:45:10 -04:00
..
main/java/org/springframework/security/crypto	Update default configuration for Pbkdf2PasswordEncoder	2022-10-12 00:45:10 -04:00
test	Update default configuration for Pbkdf2PasswordEncoder	2022-10-12 00:45:10 -04:00

Joe Grandja c50441b59f Update default configuration for Pbkdf2PasswordEncoder

The recommended minimums for PBKDF2, as per OWASP Cheat Sheet Series (https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html), are:
If FIPS-140 compliance is required, use PBKDF2 with a work factor of 310,000 or more and set with an internal hash function of HMAC-SHA-256.

Previous default configuration:
algorithm=SHA1, iterations=185000, hashLength=256

New default configuration:
algorithm=SHA256, iterations=310000, hashLength=256

The default salt length was also updated from 8 to 16.

Closes gh-10506, Closes gh-10489

2022-10-12 00:45:10 -04:00

main/java/org/springframework/security/crypto

Update default configuration for Pbkdf2PasswordEncoder

2022-10-12 00:45:10 -04:00

test

Update default configuration for Pbkdf2PasswordEncoder

2022-10-12 00:45:10 -04:00