Consider increasing the default iteration count for PBKDF2 to follow OWASP recommendation
tomasherceg opened this issue · comments
Tomáš Herceg commented
Is there an existing issue for this?
- I have searched the existing issues
Is your feature request related to a problem? Please describe the problem.
The default number of iterations in the PasswordHasherOptions
is 100.000, which is lower than the value recommended by OWASP.
Describe the solution you'd like
I am not a security expert, so I cannot assess whether the default of 100.00 is sufficient.
However, OWASP recommends 210.000 iterations (based on data from December 2022, which is quite dated).
The last change to this value was in .NET 7 in #40987, so I believe it should be reconsidered for .NET 9.
Alternatively, if 100.000 is still good enough, explaining the reasons in the documentation would be helpful.
Additional context
No response