Default salt size and iterations

Question

Default salt size and iterations

haythem opened this issue 11 years ago · 4 comments

First of all i want to thank you for this great and clear implementation.
I wanted you just to know that there is no point in having large salts. 16 bytes salt is sufficient. Also 100000 is good if you're using it locally, on a server it will cost a lot. From what i read, in a production environment, you should use 20000 iterations.

Answer 1 · 2014-05-05T19:56:52.000Z

Awesome, thanks for the information. I'll push an update soon with the changes reflecting this suggestion.

Answer 2 · 2016-06-01T20:57:57.000Z

The hashing number changes over time. 100k is the recommended 2016 number.

Answer 3 · 2016-06-01T22:09:59.000Z

Hi @Terebi42, it seems the default Hash Iteration was already 100k. https://github.com/shawnmclean/SimpleCrypto.net/blob/master/src/PBKDF2.cs#L23

Answer 4 · 2016-06-01T22:43:48.000Z

This comment was meant in reply to the OP by @haythem which was recommending a decrease to 20k. That advice may have been correct in 2014, but is not now, so I was merely making sure you didn't change away from your good current value.