use scrypt by default (#2771)

pallets · Aug 14, 2023 · 47c6bd5 · 47c6bd5
2 parents ea77ffd + 9a21003
commit 47c6bd5
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 6 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -6,6 +6,7 @@ Version 3.0.0
 Unreleased
 
 -   Remove previously deprecated code. :pr:`2768`
+-   ``generate_password_hash`` uses scrypt by default. :issue:`2769`
 
 
 Version 2.3.8

diff --git a/src/werkzeug/security.py b/src/werkzeug/security.py
@@ -67,17 +67,16 @@ def _hash_internal(method: str, salt: str, password: str) -> tuple[str, str]:
 
 
 def generate_password_hash(
-    password: str, method: str = "pbkdf2", salt_length: int = 16
+    password: str, method: str = "scrypt", salt_length: int = 16
 ) -> str:
     """Securely hash a password for storage. A password can be compared to a stored hash
     using :func:`check_password_hash`.
 
     The following methods are supported:
 
-    -   ``scrypt``, more secure but not available on PyPy. The parameters are ``n``,
-        ``r``, and ``p``, the default is ``scrypt:32768:8:1``. See
-        :func:`hashlib.scrypt`.
-    -   ``pbkdf2``, the default. The parameters are ``hash_method`` and ``iterations``,
+    -   ``scrypt``, the default. The parameters are ``n``, ``r``, and ``p``, the default
+        is ``scrypt:32768:8:1``. See :func:`hashlib.scrypt`.
+    -   ``pbkdf2``, less secure. The parameters are ``hash_method`` and ``iterations``,
         the default is ``pbkdf2:sha256:600000``. See :func:`hashlib.pbkdf2_hmac`.
 
     Default parameters may be updated to reflect current guidelines, and methods may be

diff --git a/tests/test_security.py b/tests/test_security.py
@@ -11,7 +11,7 @@
 
 def test_default_password_method():
     value = generate_password_hash("secret")
-    assert value.startswith("pbkdf2:")
+    assert value.startswith("scrypt:")
 
 
 @pytest.mark.xfail(