in recovery.py The number of hashing iterations defined by RECOVERY_ITERATION, should not default to 1 if RECOVERY_ITERATION is not defined in settings.py

in the `class Hash` in `recovery.py` you can see the following:
```
class Hash(PBKDF2PasswordHasher):
    algorithm = 'pbkdf2_sha256_custom'
    iterations = getattr(settings,"RECOVERY_ITERATION",1)
```

in the case RECOVERY_ITERATION was not defined in settings.py, the value for `iterations` will default to `1`.

Although that the risk posed by an inadequate number of hashing iterations for the recovery tokens is maybe not the biggest concern in case of any leak to the User_keys table, and potentially other tables in the database. it is still a bad practice and I would advise against it, as it normalises the reuse of such code.

The current recommended value (by django) is 720000 iterations, while the default the package is suggesting is 350000.


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

in recovery.py The number of hashing iterations defined by RECOVERY_ITERATION, should not default to 1 if RECOVERY_ITERATION is not defined in settings.py #76

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

in recovery.py The number of hashing iterations defined by RECOVERY_ITERATION, should not default to 1 if RECOVERY_ITERATION is not defined in settings.py #76

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions