kfaraz commented on code in PR #15970: URL: https://github.com/apache/druid/pull/15970#discussion_r1503730207
########## docs/development/extensions-core/druid-basic-security.md: ########## @@ -165,13 +165,7 @@ Authorizer that requests should be directed to.<br /> ##### Credential iterations and API performance -As noted above, `credentialIterations` determines the number of iterations used to hash a password. A higher number increases security, but costs more in terms of CPU utilization. - -This cost affects API performance, including query times. The default setting of 10000 is intentionally high to prevent attackers from using brute force to guess passwords. - -You can decrease the number of iterations to speed up API response times, but it may expose your system to dictionary attacks. Therefore, only reduce the number of iterations if your environment fits one of the following conditions: -- **All** passwords are long and random which make them as safe as a randomly-generated token. -- You have secured network access to Druid so that no attacker can execute a dictionary attack against it. +As noted above, `credentialIterations` determines the number of iterations used to hash a password. A higher number increases security. The default setting of 10000 is intentionally high to prevent attackers from using brute force to guess passwords. We recommend that you don't lower this setting. Druid caches up to the last 1000 iterations for an hour to ensure that having a large number of iterations does not meaningfully impact query performance. Review Comment: ```suggestion As noted above, the value of `credentialIterations` determines the number of iterations used to hash a password. A higher number of iterations increases security. The default value of 10,000 is intentionally high to prevent attackers from using brute force to guess passwords. We recommend that you don't lower this value. Druid caches the hash of up to 1000 passwords used in the last hour to ensure that having a large number of iterations does not meaningfully impact query performance. ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
