spring-security/crypto
Joe Grandja c50441b59f Update default configuration for Pbkdf2PasswordEncoder
The recommended minimums for PBKDF2, as per OWASP Cheat Sheet Series (https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html), are:
If FIPS-140 compliance is required, use PBKDF2 with a work factor of 310,000 or more and set with an internal hash function of HMAC-SHA-256.

Previous default configuration:
algorithm=SHA1, iterations=185000, hashLength=256

New default configuration:
algorithm=SHA256, iterations=310000, hashLength=256

The default salt length was also updated from 8 to 16.

Closes gh-10506, Closes gh-10489
2022-10-12 00:45:10 -04:00
..
src Update default configuration for Pbkdf2PasswordEncoder 2022-10-12 00:45:10 -04:00
spring-security-crypto.gradle Restore ManagementConfigurationPlugin 2021-10-05 11:23:29 -03:00