Issue Station
Sign In
Tools hereToolbox

dify - 💡(How to fix) Fix MEDIUM: PBKDF2 password hashing uses only 10K iterations — OWASP recommends 600K+

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…

Password hashing uses PBKDF2-HMAC-SHA256 with only 10,000 iterations. OWASP 2025 recommends 600,000+ iterations for PBKDF2-SHA256. At 10K iterations, an attacker with a modern GPU (RTX 4090: ~100M hashes/sec) can test ~10,000 passwords per second per hash.

Root Cause

Password hashing uses PBKDF2-HMAC-SHA256 with only 10,000 iterations. OWASP 2025 recommends 600,000+ iterations for PBKDF2-SHA256. At 10K iterations, an attacker with a modern GPU (RTX 4090: ~100M hashes/sec) can test ~10,000 passwords per second per hash.

RAW_BUFFERClick to expand / collapse

CWE-916: PBKDF2 Password Hashing Uses Only 10,000 Iterations

Severity: MEDIUM (CVSS 5.1)

Location

  • "" + pi/libs/password.py + "" + :

dk = hashlib.pbkdf2_hmac("sha256", password_str.encode(), salt_byte, 10000)

Description

Password hashing uses PBKDF2-HMAC-SHA256 with only 10,000 iterations. OWASP 2025 recommends 600,000+ iterations for PBKDF2-SHA256. At 10K iterations, an attacker with a modern GPU (RTX 4090: ~100M hashes/sec) can test ~10,000 passwords per second per hash.

Impact

If the database is compromised (e.g., via the hardcoded Redis/DB passwords), all password hashes can be brute-forced in minutes rather than years. Combined with the default credentials in .env.example, a full database dump gives an attacker every user's password.

Remediation

Increase iterations to at least 600,000. Consider migrating to Argon2id which is more resistant to GPU cracking.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING