Crypto-js vulnerability, lessons learned

[KevinAtSesam]

Quite a shocking story;

Crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both (1) defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005 and (2) defaults to one single iteration, a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeasure to preimage and collision attacks.

https://github.com/advisories/GHSA-xwcq-pm8m-c4vf

The impact will be big, since there will be many websites out there with poor password hashing.

Advisories for pbkdf2-scala

• Warnings when using too few iterations
• Warnings when using SHA1

By adding these warnings to the application, applications that use pbkdf2-scala can improve their configuration. Since it's quite common to misconfigure pbkdf2, we could do more to assist users.