Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

FEATURE: Increase pbkdf2 iterations to 600k (#20981) 

Existing passwords will continue to work. Hashes will be regenerates on a user's next login.
This commit is contained in:
David Taylor 2023-04-11 11:56:20 +01:00 committed by GitHub
parent 352bd35bf6
commit ba5b035f6e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 2 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
config/application.rb
View File

@ -144,7 +144,7 @@ module Discourse
config.active_record.use_schema_cache_dump = false
# per https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
config.pbkdf2_iterations = 64_000
config.pbkdf2_iterations = 600_000
config.pbkdf2_algorithm = "sha256"
# rack lock is nothing but trouble, get rid of it

5
docs/SECURITY.md
View File

@ -14,10 +14,7 @@ For a list of recent security commits, check [our GitHub commits prefixed with S
Discourse uses the PBKDF2 algorithm to encrypt salted passwords. This algorithm is blessed by NIST. Security experts on the web [tend to agree that PBKDF2 is a secure choice](https://security.stackexchange.com/questions/4781/do-any-security-experts-recommend-bcrypt-for-password-storage).
**options you can customize in your production.rb file**
- `pbkdf2_algorithm`: the hashing algorithm used (default "sha256")
- `pbkdf2_iterations`: the number of iterations to run (default 64000)
Discourse currently uses PBKDF2 with the sha256 hashing algorithm and 600,000 iterations.
### XSS