Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

2.4.4 #1000

Closed
jmanico opened this issue May 19, 2021 · 2 comments
Closed

2.4.4 #1000

jmanico opened this issue May 19, 2021 · 2 comments
Assignees
@jmanico
Labels
1) Discussion ongoing Issue is opened and assigned but no clear proposal yet

Comments

@jmanico
Copy link
Member

jmanico commented May 19, 2021

bcrypt 13 is too aggressive we should be suggesting bcrypt 10.

https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
@Sjord
Copy link
Contributor

Sjord commented Jun 3, 2021

This refers to 2.4.4, not 2.2.4:

2.4.4 Verify that if bcrypt is used, the work factor SHOULD be as large as verification server performance will allow, typically at least 13.

Work factors correspond to time roughly like this, on my laptop:

bcrypt time
10 50 ms
11 100 ms
12 200 ms
13 400 ms

I think 10 is acceptable. I agree that 13 is a bit much.

This was referenced Jun 3, 2021
Merged
Closed
Closed
@elarlang elarlang added the 1) Discussion ongoing Issue is opened and assigned but no clear proposal yet label Jul 20, 2021
@jmanico jmanico changed the title 2.2.4 2.4.4 Sep 24, 2021
@jmanico
Copy link
Member Author

jmanico commented Sep 24, 2021

This has been updated for a different issue making this issue moot.

@jmanico jmanico closed this as completed Sep 24, 2021
elarlang pushed a commit to elarlang/ASVS that referenced this issue Oct 25, 2021
update 2.4.4 description (OWASP#1000)
9f1f36e
@elarlang elarlang mentioned this issue Oct 25, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jmanico jmanico

Labels
1) Discussion ongoing Issue is opened and assigned but no clear proposal yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Sjord @jmanico @elarlang