If the functions used for encryption are PBKDF2 and bcrypt, the auditors suggest that this may not provide sufficient protection against determined attackers with access to modern hardware. They also note, however, that sufficiently strong passwords may still be impractical or impossible to crack under the current configurations. This is not a risk, just information.
Solution
Review the usage of PBKDF2 and bcrypt to determine if a change is needed. If a change is needed, determine if the iterations should be increased, or if another hashing function like Argon2id should be used. It is recommended by the auditors to increase iterations in PBKDF2 to at least 1,000,000 and iterations in crypt to at least 12.
Problem
If the functions used for encryption are PBKDF2 and bcrypt, the auditors suggest that this may not provide sufficient protection against determined attackers with access to modern hardware. They also note, however, that sufficiently strong passwords may still be impractical or impossible to crack under the current configurations. This is not a risk, just information.
Solution
Review the usage of PBKDF2 and bcrypt to determine if a change is needed. If a change is needed, determine if the iterations should be increased, or if another hashing function like Argon2id should be used. It is recommended by the auditors to increase iterations in PBKDF2 to at least 1,000,000 and iterations in crypt to at least 12.
Alternatives
No response