flask-security icon indicating copy to clipboard operation
flask-security copied to clipboard

Published 20 hours ago verified publisher icon Flask-Middleware

Improve bcrypt to match OWASP

Open jwag956 opened this issue 5 years ago • 3 comments

passlib has a work factor of 12 by default. OWAPS wants at least 13. We should set that as default config for SECURITY_PASSWORD_HASH_OPTIONS and add to documentation what that config variable looks like.

jwag956 avatar Nov 07 '19 23:11 jwag956

@jwag956 is this still a need? I'm happy to put up a PR for this.

akravetz avatar Mar 23 '21 21:03 akravetz

I believe so - note also that in the meantime - PASSWORD_HASH_OPTIONS has been deprecated and now should be PASSWORD_HASH_PASSLIB_OPTIONS.

It would be great if you wanted to issue a PR - please verify on OWASP that that is still the recommended value.

jwag956 avatar Mar 25 '21 20:03 jwag956

please verify on OWASP that that is still the recommended value.

The current state is:

OWASP v4.0 Verify that if bcrypt is used, the work factor SHOULD be as large as verification server performance will allow, with a minimum of 10.

OWASP v5.0 Verify that if bcrypt is used, the work factor is a minimum of 10 and password size is limited to 72-bytes due to bcrypt's input limit.

stfnx avatar Feb 27 '24 12:02 stfnx

At this point - I think #944 is a better option than fiddling with bcrypt.

jwag956 avatar Mar 23 '24 15:03 jwag956