Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

go: weak scrypt cost #131

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

go: weak scrypt cost #131

wants to merge 1 commit into from

Conversation

burntcarrot
Copy link

Description

This checker detects the usage of scrypt.Key with an N parameter (CPU/memory cost parameter) less than 32768. The scrypt algorithm is designed to be memory-hard, making it resistant to brute-force attacks, especially those using custom hardware. A low N parameter reduces the memory and CPU cost, making it easier for attackers to crack passwords. This checker is flagged as a security warning to ensure scrypt is configured with a sufficiently high N parameter.

Recommendation

Use an N parameter of 32768 or higher when calling scrypt.Key.

@vercel Vercel
Copy link

vercel bot commented Feb 25, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Skipped Deployment
Name Status Preview Comments Updated (UTC)
globstar ⬜️ Ignored (Inspect) Visit Preview Feb 25, 2025 4:59pm

@sanket-deepsource
Copy link
Contributor

Hi @burntcarrot — thanks for your contribution! We've made some changes to our Go interface for writing checkers, so this PR will need to be updated. Please see the reference here and this guide.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@burntcarrot @sanket-deepsource