Reduced security on ProtectedCache. (#28)

Utar94 · Oct 19, 2023 · 7f771eb · 7f771eb
1 parent babfe93
commit 7f771eb
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/backend/src/Logitar.Wishes.Infrastructure/Caching/ProtectedCache.cs b/backend/src/Logitar.Wishes.Infrastructure/Caching/ProtectedCache.cs
@@ -10,7 +10,11 @@ internal record ProtectedCache<T>
   public ProtectedCache(T value, string password)
   {
     _value = value;
-    _pbkdf2 = new(password);
+
+    /* NOTE(fpion): OWASP recommends 600000 iterations when using SHA-256. This is a security risk
+     * since the Portal uses 600000 iterations. The result is that Wishes is less secure than the
+     * Portal, which simplifies the job of an attack who would like to try keys. */
+    _pbkdf2 = new(password, iterations: 10000);
   }
 
   public T? GetValue(string password) => _pbkdf2.IsMatch(password) ? _value : default;