Skip to content

Increase PBKDF2 iteration count to OWASP recommendations #5911

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
samdescole wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Increase PBKDF2 iteration count to OWASP recommendations #5911

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions ...server/7.2.0/docs/deploy/configure/user-stores/secure-userstore-using-pbkdf2.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ PBKDF2 is supported by [primary JDBC user stores]({{base_path}}/guides/users/use
[user_store]
type = "database_unique_id"
password_digest="PBKDF2"
hash_algorithm_properties="{pbkdf2.iteration.count:10000, pbkdf2.dkLength:256, pbkdf2.prf:PBKDF2WithHmacSHA256}"
hash_algorithm_properties="{pbkdf2.iteration.count:600000, pbkdf2.dkLength:256, pbkdf2.prf:PBKDF2WithHmacSHA256}"
```

### PBKDF2 for secondary JDBC user stores
Expand Down Expand Up @@ -49,7 +49,7 @@ To configure PBKDF2 hashing on a JDBC user store:
</tr>
<tr>
<td>UserStore Hashing Configurations</td>
<td><code>{pbkdf2.iteration.count:10000, pbkdf2.dkLength:256, pbkdf2.prf:PBKDF2WithHmacSHA256} </code></td>
<td><code>{pbkdf2.iteration.count:600000, pbkdf2.dkLength:256, pbkdf2.prf:PBKDF2WithHmacSHA256} </code></td>
<td>Additional parameters required for password hashing algorithm. This should be given in JSON format. Learn more about these [configurations](#pbkdf2-parameters).</td>
</tr>
</table>
Expand All @@ -60,7 +60,7 @@ Successful update of these configurations will convert the password hashing algo

## PBKDF2 parameters

When configuring the PBKDF2 hashing algorithm the following parameters must be specified in the configurations:
When configuring the PBKDF2 hashing algorithm the following parameters must be specified in the configurations. See the latest [OWASP recommendations](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2) for reference.
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Passive voice in updated sentence — use active voice.

"must be specified" is passive; the actor (the administrator) is known. Per the coding guidelines: use active voice and address the reader as "you."

✏️ Proposed fix 
-When configuring the PBKDF2 hashing algorithm the following parameters must be specified in the configurations. See the latest [OWASP recommendations](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2) for reference.
+When configuring the PBKDF2 hashing algorithm, you must specify the following parameters. See the latest [OWASP recommendations](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2) for reference.

As per coding guidelines: "Use active voice and present tense; use passive voice only when the actor is unknown or unimportant" and "Address the reader as 'you'."

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
When configuring the PBKDF2 hashing algorithm the following parameters must be specified in the configurations. See the latest [OWASP recommendations](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2) for reference.
When configuring the PBKDF2 hashing algorithm, you must specify the following parameters. See the latest [OWASP recommendations](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2) for reference.
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In
`@en/identity-server/7.2.0/docs/deploy/configure/user-stores/secure-userstore-using-pbkdf2.md`
at line 63, Rewrite the passive sentence in the PBKDF2 configuration section to
active voice addressing the reader (you); replace "When configuring the PBKDF2
hashing algorithm the following parameters must be specified in the
configurations." with an active construction that tells the administrator what
to do (for example, "When you configure the PBKDF2 hashing algorithm, specify
the following parameters in the configuration"). Update the sentence in
secure-userstore-using-pbkdf2.md so it uses present tense, active voice, and
"you."


<table>
<tr>
Expand All @@ -72,7 +72,7 @@ When configuring the PBKDF2 hashing algorithm the following parameters must be s
<tr>
<td><code>pbkdf2.iteration.count</code></td>
<td>Iteration count</td>
<td><code>10000</code></td>
<td><code>600000</code></td>
<td>Number of times hashing is performed.</td>
</tr>
<tr>
Expand All @@ -89,7 +89,7 @@ When configuring the PBKDF2 hashing algorithm the following parameters must be s
</table>

!!! Note
NIST recommends `PBKDF2WithHmacSHA256` as the pseudo-random function (prf) value, but the prf can also be changed. Some examples of possible prf values are as follows:
NIST and OWASP recommend `PBKDF2WithHmacSHA256` as the pseudo-random function (prf) value, but the prf can also be changed. Some examples of possible prf values are as follows:

- `PBKDF2WithHmacSHA512`
- `PBKDF2WithHmacSHA256`
Expand Down