Increase PBKDF2 iteration count to OWASP recommendations

[samdescole]

Updated PBKDF2 iteration count from 10000 to 600000 in the configuration and documentation. This follows the latest OWASP recommendations found here: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html

Purpose

While setting up my WSO2 Identity Server following the docs closely, I noticed that the security recommendations for password hashing are not up to standard. To ensure secure storing of passwords, the parameters should be adjusted to comply with current computational force.

Related PRs

Test environment

Security checks

• Followed secure coding standards in http://wso2.com/technical-reports/wso2-secure-engineering-guidelines?
• Ran FindSecurityBugs plugin and verified report?
• Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets?

Summary by CodeRabbit

• Documentation
  • Strengthened user store security by increasing PBKDF2 iteration count for improved protection against password brute-force attacks.
  • Updated configuration guidance with OWASP-aligned security best practices and expanded support for multiple encryption algorithm options in user authentication setup.

[CLAassistant]

All committers have signed the CLA.

[coderabbitai]

Walkthrough

Documentation update for identity server PBKDF2 user store security configuration. PBKDF2 iteration count increased from 10000 to 600000 across primary and secondary JDBC user store configurations. Added OWASP security guidance references and expanded PRF commentary with additional algorithm examples.

Changes

Cohort / File(s)	Summary
PBKDF2 Configuration Documentation en/identity-server/7.2.0/docs/deploy/configure/user-stores/secure-userstore-using-pbkdf2.md	Updated PBKDF2 iteration count to 600000 (from 10000) in JDBC user store configs. Added OWASP recommendation reference with link to cheat sheet. Expanded PRF commentary to clarify PBKDF2WithHmacSHA256 as recommended option and list additional PRF algorithms (SHA1, SHA512).

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

🐰 Hops of security, iteration by iteration,
Six hundred thousand rounds, stronger foundation,
OWASP whispers wisdom, SHA verdicts clear,
PBKDF2 now fortified, no need for fear! 🔐

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: increasing PBKDF2 iteration count to align with OWASP recommendations.
Description check	✅ Passed	The description includes the required Purpose section with clear justification and an OWASP link, and addresses the security checklist items appropriately.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

en/identity-server/7.2.0/docs/deploy/configure/user-stores/secure-userstore-using-pbkdf2.md (1)

91-96: ⚠️ Potential issue | 🟠 Major

Missing per-PRF iteration count guidance creates a documentation-driven security gap.

The note permits switching to any PRF including PBKDF2WithHmacSHA1, but the configured iteration count (600,000) is calibrated specifically for PBKDF2WithHmacSHA256. OWASP recommends 1,300,000 iterations for PBKDF2-HMAC-SHA1, 600,000 for PBKDF2-HMAC-SHA256, and 210,000 for PBKDF2-HMAC-SHA512 — the work factor for PBKDF2 should be set differently based on the internal hashing algorithm used. A reader who switches to PBKDF2WithHmacSHA1 without changing the iteration count would deploy a configuration that falls well below OWASP minimums.

Additionally, "prf can also be changed" is passive voice where the reader is the actor; prf used as an acronym should be uppercase PRF.

✏️ Proposed fix

 !!! Note
-    NIST and OWASP recommend `PBKDF2WithHmacSHA256` as the pseudo-random function (prf) value, but the prf can also be changed. Some examples of possible prf values are as follows:
+    NIST and OWASP recommend `PBKDF2WithHmacSHA256` as the pseudo-random function (PRF) value. You can also change the PRF, but you must adjust the iteration count accordingly to meet OWASP recommendations for the selected PRF:

-    - `PBKDF2WithHmacSHA512`
-    - `PBKDF2WithHmacSHA256`
-    - `PBKDF2WithHmacSHA1`
+    | PRF | OWASP minimum iteration count |
+    |---|---|
+    | `PBKDF2WithHmacSHA256` (recommended) | 600,000 |
+    | `PBKDF2WithHmacSHA512` | 210,000 |
+    | `PBKDF2WithHmacSHA1` | 1,300,000 |

As per coding guidelines: "Use active voice and present tense; use passive voice only when the actor is unknown or unimportant."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@en/identity-server/7.2.0/docs/deploy/configure/user-stores/secure-userstore-using-pbkdf2.md`
around lines 91 - 96, Update the NOTE block to use active voice and uppercase
PRF, and add per-PRF iteration guidance: state that the configured iteration
count (600,000) applies to PBKDF2WithHmacSHA256, and recommend OWASP-aligned
work factors (e.g., ~1,300,000 for PBKDF2WithHmacSHA1, ~600,000 for
PBKDF2WithHmacSHA256, and ~210,000 for PBKDF2WithHmacSHA512); also clarify that
if you change the PRF (the PRF you select), you must adjust iterations
accordingly. Reference the existing PRF examples (PBKDF2WithHmacSHA512,
PBKDF2WithHmacSHA256, PBKDF2WithHmacSHA1) and update wording so the reader is
the actor (e.g., “You can change the PRF to …”).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@en/identity-server/7.2.0/docs/deploy/configure/user-stores/secure-userstore-using-pbkdf2.md`:
- Line 63: Rewrite the passive sentence in the PBKDF2 configuration section to
active voice addressing the reader (you); replace "When configuring the PBKDF2
hashing algorithm the following parameters must be specified in the
configurations." with an active construction that tells the administrator what
to do (for example, "When you configure the PBKDF2 hashing algorithm, specify
the following parameters in the configuration"). Update the sentence in
secure-userstore-using-pbkdf2.md so it uses present tense, active voice, and
"you."

---

Outside diff comments:
In
`@en/identity-server/7.2.0/docs/deploy/configure/user-stores/secure-userstore-using-pbkdf2.md`:
- Around line 91-96: Update the NOTE block to use active voice and uppercase
PRF, and add per-PRF iteration guidance: state that the configured iteration
count (600,000) applies to PBKDF2WithHmacSHA256, and recommend OWASP-aligned
work factors (e.g., ~1,300,000 for PBKDF2WithHmacSHA1, ~600,000 for
PBKDF2WithHmacSHA256, and ~210,000 for PBKDF2WithHmacSHA512); also clarify that
if you change the PRF (the PRF you select), you must adjust iterations
accordingly. Reference the existing PRF examples (PBKDF2WithHmacSHA512,
PBKDF2WithHmacSHA256, PBKDF2WithHmacSHA1) and update wording so the reader is
the actor (e.g., “You can change the PRF to …”).

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Passive voice in updated sentence — use active voice.

"must be specified" is passive; the actor (the administrator) is known. Per the coding guidelines: use active voice and address the reader as "you."

✏️ Proposed fix

-When configuring the PBKDF2 hashing algorithm the following parameters must be specified in the configurations. See the latest [OWASP recommendations](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2) for reference.
+When configuring the PBKDF2 hashing algorithm, you must specify the following parameters. See the latest [OWASP recommendations](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2) for reference.

As per coding guidelines: "Use active voice and present tense; use passive voice only when the actor is unknown or unimportant" and "Address the reader as 'you'."

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	When configuring the PBKDF2 hashing algorithm the following parameters must be specified in the configurations. See the latest [OWASP recommendations](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2) for reference.
	When configuring the PBKDF2 hashing algorithm, you must specify the following parameters. See the latest [OWASP recommendations](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2) for reference.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@en/identity-server/7.2.0/docs/deploy/configure/user-stores/secure-userstore-using-pbkdf2.md`
at line 63, Rewrite the passive sentence in the PBKDF2 configuration section to
active voice addressing the reader (you); replace "When configuring the PBKDF2
hashing algorithm the following parameters must be specified in the
configurations." with an active construction that tells the administrator what
to do (for example, "When you configure the PBKDF2 hashing algorithm, specify
the following parameters in the configuration"). Update the sentence in
secure-userstore-using-pbkdf2.md so it uses present tense, active voice, and
"you."