kfaraz commented on code in PR #15970:
URL: https://github.com/apache/druid/pull/15970#discussion_r1503730207


##########
docs/development/extensions-core/druid-basic-security.md:
##########
@@ -165,13 +165,7 @@ Authorizer that requests should be directed to.<br />
 
 ##### Credential iterations and API performance
 
-As noted above, `credentialIterations` determines the number of iterations 
used to hash a password. A higher number increases security, but costs more in 
terms of CPU utilization. 
-
-This cost affects API performance, including query times. The default setting 
of 10000 is intentionally high to prevent attackers from using brute force to 
guess passwords.
-
-You can decrease the number of iterations to speed up API response times, but 
it may expose your system to dictionary attacks. Therefore, only reduce the 
number of iterations if your environment fits one of the following conditions:
-- **All** passwords are long and random which make them as safe as a 
randomly-generated token.
-- You have secured network access to Druid so that no attacker can execute a 
dictionary attack against it.
+As noted above, `credentialIterations` determines the number of iterations 
used to hash a password. A higher number increases security. The default 
setting of 10000 is intentionally high to prevent attackers from using brute 
force to guess passwords. We recommend that you don't lower this setting. Druid 
caches up to the last 1000 iterations for an hour to ensure that having a large 
number of iterations does not meaningfully impact query performance. 

Review Comment:
   ```suggestion
   As noted above, the value of `credentialIterations` determines the number of 
iterations used to hash a password. A higher number of iterations increases 
security. The default value of 10,000 is intentionally high to prevent 
attackers from using brute force to guess passwords. We recommend that you 
don't lower this value. Druid caches the hash of up to 1000 passwords used in 
the last hour to ensure that having a large number of iterations does not 
meaningfully impact query performance. 
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to