Idea ID: 2872350

PBKDF2 iteration count

Status : New Idea

According to the documentation, by default the iteration count is set to 1. That seems quite low. When the standard was written the minimum was 1000: https://datatracker.ietf.org/doc/html/rfc2898#section-4.2

According to OWASP the recommended iteration count at the moment is 310 000 for SHA-256 and 120 000 for SHA-512.

https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2

Labels:

Other