Increase password hash iterations

It has been a while since this was last updated: https://github.com/jellyfin/jellyfin/pull/6818
Recommendations have changed since: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2

2 files changed, 10 insertions, 3 deletions

diff --git a/Jellyfin.Server.Implementations/Users/DefaultAuthenticationProvider.cs b/Jellyfin.Server.Implementations/Users/DefaultAuthenticationProvider.cs
index cb2d09a67..acada7aa4 100644
--- a/Jellyfin.Server.Implementations/Users/DefaultAuthenticationProvider.cs
+++ b/Jellyfin.Server.Implementations/Users/DefaultAuthenticationProvider.cs
@@ -1,9 +1,11 @@
 using System;
 using System.Diagnostics.CodeAnalysis;
+using System.Globalization;
 using System.Threading.Tasks;
 using Jellyfin.Data.Entities;
 using MediaBrowser.Controller.Authentication;
 using MediaBrowser.Model.Cryptography;
+using Microsoft.Extensions.Logging;
 
 namespace Jellyfin.Server.Implementations.Users
 {
@@ -12,14 +14,17 @@ namespace Jellyfin.Server.Implementations.Users
     /// </summary>
     public class DefaultAuthenticationProvider : IAuthenticationProvider, IRequiresResolvedUser
     {
+        private readonly ILogger<DefaultAuthenticationProvider> _logger;
         private readonly ICryptoProvider _cryptographyProvider;
 
         /// <summary>
         /// Initializes a new instance of the <see cref="DefaultAuthenticationProvider"/> class.
         /// </summary>
+        /// <param name="logger">The logger.</param>
         /// <param name="cryptographyProvider">The cryptography provider.</param>
-        public DefaultAuthenticationProvider(ICryptoProvider cryptographyProvider)
+        public DefaultAuthenticationProvider(ILogger<DefaultAuthenticationProvider> logger, ICryptoProvider cryptographyProvider)
         {
+            _logger = logger;
             _cryptographyProvider = cryptographyProvider;
         }
 
@@ -75,8 +80,10 @@ namespace Jellyfin.Server.Implementations.Users
             }
 
             // Migrate old hashes to the new default
-            if (!string.Equals(readyHash.Id, _cryptographyProvider.DefaultHashMethod, StringComparison.Ordinal))
+            if (!string.Equals(readyHash.Id, _cryptographyProvider.DefaultHashMethod, StringComparison.Ordinal)
+                || int.Parse(readyHash.Parameters["iterations"], CultureInfo.InvariantCulture) != Constants.DefaultIterations)
             {
+                _logger.LogInformation("Migrating password hash of {User} to the latest default", username);
                 ChangePassword(resolvedUser, password);
             }
 
diff --git a/MediaBrowser.Model/Cryptography/Constants.cs b/MediaBrowser.Model/Cryptography/Constants.cs
index f2ebb5d3d..a4cb62245 100644
--- a/MediaBrowser.Model/Cryptography/Constants.cs
+++ b/MediaBrowser.Model/Cryptography/Constants.cs
@@ -18,6 +18,6 @@ namespace MediaBrowser.Model.Cryptography
         /// <summary>
         /// The default amount of iterations for hashing passwords.
         /// </summary>
-        public const int DefaultIterations = 120000;
+        public const int DefaultIterations = 210000;
     }
 }