Very low PBKDF2 iterations defaults in couchdb

[OnGle]

In CouchDB the default pbkdf2 iterations is set to 10, which is insanely low. For reference, in 2000 when the pbkdf2 RFC was release, the recommended iterations was 1,000; 20 years ago, with the suggestion that it be increased as CPU speeds increase. As such a 10,000+ iterable count is probably more sensible.

A closed issue on the CouchDB Github appears to address this issue however it was closed before (as far as I can tell) it was properly fixed.

Lastly the upstream CouchDB docs seem to suggest that the default IS 10,000 however, at the very least this appears to NOT be the case in the Debian package. Perhaps the docs correspond with a newer version than the latest Debian package?

This PR, along with updating to 16.0 increase the default and minimum PBKDF2 iterations to 1,000 however it's probably worth increasing this.

References:

• RFC https://tools.ietf.org/html/rfc2898#section-4.2
• Wikipedia article https://en.wikipedia.org/wiki/PBKDF2

[JedMeister]

Thanks @OnGle - I've tagged this to v16.1. If we don't discuss further by then, we can ensure that we do for that...

So by my understanding, the reason why it's not higher, is because it makes CouchDB less responsive (especially on low resource machines) and so has been rolled back to keep users happy (despite the security implications...). Your default increase to 1000 in the TurnKey app is a great "happy medium" in my books. Although as you note, it's still not ideal.

Perhaps as a middle ground, we could note the issue in the README and maybe even make a Confconsole plugin for increasing it?!

[OnGle]

Default was already bumped to 1,000. While still far too low imo, I think postponing this until 17.0 for a more complete solution is the best move at this point.

[qq7]

This setting can be changed with Fauxton in the config section

[JedMeister]

@qq7 - I suggest that we note that in the changelog and close this issue (with the v17.0 PR merge).

[JedMeister]

This missed the boat in v17.x, we should definitely document this for v18.0!