increase pbkdf2 iterations

pallets · Oct 27, 2024 · 763609a · 763609a
1 parent 2139fa0
commit 763609a
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 2 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -17,6 +17,8 @@ Unreleased
 -   Add ``stale_while_revalidate`` and ``stale_if_error`` properties to
     ``ResponseCacheControl``. :issue:`2948`
 -   Add 421 ``MisdirectedRequest`` HTTP exception. :issue:`2850`
+-   Increase default work factor for PBKDF2 to 1,000,000 iterations. :issue:`2969`
+
 
 
 Version 3.0.6

diff --git a/src/werkzeug/security.py b/src/werkzeug/security.py
@@ -7,7 +7,7 @@
 import secrets
 
 SALT_CHARS = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
-DEFAULT_PBKDF2_ITERATIONS = 600000
+DEFAULT_PBKDF2_ITERATIONS = 1_000_000
 
 _os_alt_seps: list[str] = list(
     sep for sep in [os.sep, os.path.altsep] if sep is not None and sep != "/"

diff --git a/tests/test_security.py b/tests/test_security.py
@@ -25,7 +25,7 @@ def test_scrypt():
 def test_pbkdf2():
     value = generate_password_hash("secret", method="pbkdf2")
     assert check_password_hash(value, "secret")
-    assert value.startswith("pbkdf2:sha256:600000$")
+    assert value.startswith("pbkdf2:sha256:1000000$")
 
 
 def test_salted_hashes():