Update default configuration for Pbkdf2PasswordEncoder #10489
Description
Expected Behavior
Pbkdf2PasswordEncoder should not let you generate a hash longer than the hash function. This should either return an error or reduce the output size to match the hash output size: 160 for SHA1, 256 for SHA256, and 512 for SHA512.
Current Behavior
Pbkdf2PasswordEncoder doesn't prevent bad settings.
Context
Pbkdf2PasswordEncoder defaults to SHA1 and 256 bits of output. This causes the defender to waste time generating the last 96 bits of output that an attacker is just going to ignore. Also PBKDF2-SHA1 with 185k iterations does not meet the bare minimum for good settings:
PBKDF2-SHA512: 120,000
PBKDF2-SHA256: 350,000
PBKDF2-SHA1: 720,000
I suggest you at least change PBKDF2's default to SHA512 and 120k iterations or more. Also you could change matches() to truncate the hash to save time on checking.