search

RustCrypto / password-hashes

Password hashing functions / KDFs
678 stars 84 forks source link

PBKDF2 defult number of rounds not correct? #441

Closed olback closed 1 year ago

olback commented 1 year ago

The following is a snippet from simple.rs:

impl Params {
    /// Recommended number of PBKDF2 rounds (used by default).
    ///
    /// This number is adopted from the [OWASP cheat sheet]:
    ///
    /// > Use PBKDF2 with a work factor of 600,000 or more
    ///
    /// [OWASP cheat sheet]: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
    pub const RECOMMENDED_ROUNDS: usize = 600_000;
}

impl Default for Params {
    fn default() -> Params {
        Params {
            rounds: 10_000,
            output_length: 32,
        }
    }
}

Is the Default impl correct here? Shouldn't it be something like this instead?

impl Default for Params {
    fn default() -> Params {
        Params {
            rounds: Self::RECOMMENDED_ROUNDS,
            output_length: 32,
        }
    }
}

I'd be happy to send a PR if this is the case.

Side note: The security advisory link in SECURITY.md does not work.

tarcieri commented 1 year ago

Yes, please prepare a PR.

Also the security advisory reporting should be enabled now.

olback commented 1 year ago

Aight, see #442