Giters

dotnet / aspnetcore

ASP.NET Core is a cross-platform .NET framework for building modern cloud-based web applications on Windows, Mac, or Linux.

Home Page:https://asp.net

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Consider increasing the default iteration count for PBKDF2 to follow OWASP recommendation

tomasherceg opened this issue · comments

commented

Is there an existing issue for this?

  • I have searched the existing issues

Is your feature request related to a problem? Please describe the problem.

The default number of iterations in the PasswordHasherOptions is 100.000, which is lower than the value recommended by OWASP.

Describe the solution you'd like

I am not a security expert, so I cannot assess whether the default of 100.00 is sufficient.
However, OWASP recommends 210.000 iterations (based on data from December 2022, which is quite dated).

The last change to this value was in .NET 7 in #40987, so I believe it should be reconsidered for .NET 9.
Alternatively, if 100.000 is still good enough, explaining the reasons in the documentation would be helpful.

Additional context

No response