in recovery.py The number of hashing iterations defined by RECOVERY_ITERATION, should not default to 1 if RECOVERY_ITERATION is not defined in settings.py

[oussjarrousse]

in the class Hash in recovery.py you can see the following:

class Hash(PBKDF2PasswordHasher):
    algorithm = 'pbkdf2_sha256_custom'
    iterations = getattr(settings,"RECOVERY_ITERATION",1)

in the case RECOVERY_ITERATION was not defined in settings.py, the value for iterations will default to 1.

Although that the risk posed by an inadequate number of hashing iterations for the recovery tokens is maybe not the biggest concern in case of any leak to the User_keys table, and potentially other tables in the database. it is still a bad practice and I would advise against it, as it normalises the reuse of such code.

The current recommended value (by django) is 720000 iterations, while the default the package is suggesting is 350000.