[SECURITY] default to pbkdf2 with 320,000 iterations

(cherry picked from commit 3ea0b287d74b8fc0dad08b2a539105e1aa1c1e67)
(cherry picked from commit db8392a8ac093d4d3760e8bb40c56d8e194d44fb)
(cherry picked from commit bd2a5fa2923c320e01faeaa1fdc1ad823c337027)
(cherry picked from commit 2436acb3d986bad08aa134e450420fc4a08f5d62)
(cherry picked from commit 62f50e1c521c30729781e5cd58882e743bb8b851)
(cherry picked from commit dba18925217254d22f76306c0fe1c046c419268e)
(cherry picked from commit 4b58e3b6d41f9e42fd34469184a3c7d4c5205c86)
(cherry picked from commit 12470568569fec0644319d3d263a82bc7acdc0c3)
(cherry picked from commit afbaea700972ddd4cb788d0b6d5e78de5558756a)
(cherry picked from commit dcd4813d96f8d4e429914f4c8f951bd25b23afca)
(cherry picked from commit b51dc963d1625bd7b9869302ec1ae70bbafb4442)
(cherry picked from commit 611e895efd28026fdc4661893172356e76f6c3d0)
(cherry picked from commit fd492a03f5335c138e143e784657f7012484bd8c)
(cherry picked from commit 2c99991f44a15466339bb82b29d455c66795721b)
(cherry picked from commit 7426c1edb4b904424cded473c94c9739fde83ed0)
(cherry picked from commit 373244f8b2d449e8811e488e3a3732ba9bc79eaa)
(cherry picked from commit e1038faee899ad29686d1870e166cea2470d861a)
(cherry picked from commit 5804aae16a35870f778772e1c017158cfee89da9)
(cherry picked from commit c1d666591925f79e9b5cb5d19597f51674c61367)
(cherry picked from commit e41c2241ba4f534750b6f1af0646542448d22f9f)
(cherry picked from commit b2ac8a37c7f9953e9dd8681df63df5b2d411c035)

Author: Loïc Dachary

custom/conf/app.example.ini

@@ -476,8 +476,8 @@ INTERNAL_TOKEN=
 ;;Classes include "lower,upper,digit,spec"
 ;PASSWORD_COMPLEXITY = off
 ;;
-;; Password Hash algorithm, either "argon2", "pbkdf2", "scrypt" or "bcrypt"
-;PASSWORD_HASH_ALGO = pbkdf2
+;; Password Hash algorithm, either "argon2", "pbkdf2"/"pbkdf2_v2", "pbkdf2_hi", "scrypt" or "bcrypt"
+;PASSWORD_HASH_ALGO = pbkdf2_hi
 ;;
 ;; Set false to allow JavaScript to read CSRF cookie
 ;CSRF_COOKIE_HTTP_ONLY = true

modules/auth/password/hash/setting.go

@@ -10,7 +10,7 @@ package hash
 //
 // It will be dealiased as per aliasAlgorithmNames whereas
 // defaultEmptyHashAlgorithmSpecification does not undergo dealiasing.
-const DefaultHashAlgorithmName = "pbkdf2"
+const DefaultHashAlgorithmName = "pbkdf2_hi"
 
 var DefaultHashAlgorithm *PasswordHashAlgorithm
 

modules/auth/password/hash/setting_test.go

@@ -28,11 +28,11 @@ func TestCheckSettingPasswordHashAlgorithm(t *testing.T) {
 		})
 	}
 
-	t.Run("pbkdf2_v2 is the default when default password hash algorithm is empty", func(t *testing.T) {
+	t.Run("pbkdf2_hi is the default when default password hash algorithm is empty", func(t *testing.T) {
 		emptyConfig, emptyAlgo := SetDefaultPasswordHashAlgorithm("")
-		pbkdf2v2Config, pbkdf2v2Algo := SetDefaultPasswordHashAlgorithm("pbkdf2_v2")
+		pbkdf2hiConfig, pbkdf2hiAlgo := SetDefaultPasswordHashAlgorithm("pbkdf2_hi")
 
-		assert.Equal(t, pbkdf2v2Config, emptyConfig)
-		assert.Equal(t, pbkdf2v2Algo.Specification, emptyAlgo.Specification)
+		assert.Equal(t, pbkdf2hiConfig, emptyConfig)
+		assert.Equal(t, pbkdf2hiAlgo.Specification, emptyAlgo.Specification)
 	})
 }