From c10f97740a6f10560e8684ce5254562eba01fe73 Mon Sep 17 00:00:00 2001
From: Bram Matthys <syzop@vulnscan.org>
Date: Sat, 05 Sep 2015 15:31:25 -0400
Subject: [PATCH] Add $config['password_crypt_rounds']: this specifies the number of rounds to be used for the sha256 and sha512 crypt hashing algorithms.

---
 plugins/password/config.inc.php.dist |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/plugins/password/config.inc.php.dist b/plugins/password/config.inc.php.dist
index 8624c56..b1478db 100644
--- a/plugins/password/config.inc.php.dist
+++ b/plugins/password/config.inc.php.dist
@@ -61,6 +61,12 @@
 // Be aware, the higher the value, the longer it takes to generate the password hashes.
 $config['password_blowfish_cost'] = 12;
 
+// Number of rounds for the sha256 and sha512 crypt hashing algorithms.
+// Must be at least 1000. If not set, then the number of rounds is left up
+// to the crypt() implementation. On glibc this defaults to 5000.
+// Be aware, the higher the value, the longer it takes to generate the password hashes.
+//$config['password_crypt_rounds'] = 50000;
+
 // This option temporarily disables the password change functionality.
 // Use it when the users database server is in maintenance mode or sth like that.
 // You can set it to TRUE/FALSE or a text describing the reason

--
Gitblit v1.9.1