From ba5b035f6e02ab56fa204716af4843e6d8a64cb6 Mon Sep 17 00:00:00 2001
From: David Taylor <david@taylorhq.com>
Date: Tue, 11 Apr 2023 11:56:20 +0100
Subject: [PATCH] FEATURE: Increase pbkdf2 iterations to 600k (#20981)

Existing passwords will continue to work. Hashes will be regenerates on a user's next login.
---
 config/application.rb | 2 +-
 docs/SECURITY.md      | 5 +----
 2 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/config/application.rb b/config/application.rb
index f436921ec62..9850f85bf70 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -144,7 +144,7 @@ module Discourse
     config.active_record.use_schema_cache_dump = false
 
     # per https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
-    config.pbkdf2_iterations = 64_000
+    config.pbkdf2_iterations = 600_000
     config.pbkdf2_algorithm = "sha256"
 
     # rack lock is nothing but trouble, get rid of it
diff --git a/docs/SECURITY.md b/docs/SECURITY.md
index d1d6bdc6e7b..aec119eab8c 100644
--- a/docs/SECURITY.md
+++ b/docs/SECURITY.md
@@ -14,10 +14,7 @@ For a list of recent security commits, check [our GitHub commits prefixed with S
 
 Discourse uses the PBKDF2 algorithm to encrypt salted passwords. This algorithm is blessed by NIST. Security experts on the web [tend to agree that PBKDF2 is a secure choice](https://security.stackexchange.com/questions/4781/do-any-security-experts-recommend-bcrypt-for-password-storage).
 
-**options you can customize in your production.rb file**
-
-- `pbkdf2_algorithm`: the hashing algorithm used (default "sha256")
-- `pbkdf2_iterations`: the number of iterations to run (default 64000)
+Discourse currently uses PBKDF2 with the sha256 hashing algorithm and 600,000 iterations.
 
 ### XSS