Fixed #35428 -- Increased parallelism of the ScryptPasswordHasher.

3 files changed, 6 insertions, 3 deletions

diff --git a/django/contrib/auth/hashers.py b/django/contrib/auth/hashers.py
index e23ae6243e..b539747561 100644
--- a/django/contrib/auth/hashers.py
+++ b/django/contrib/auth/hashers.py
@@ -570,7 +570,7 @@ class ScryptPasswordHasher(BasePasswordHasher):
     algorithm = "scrypt"
     block_size = 8
     maxmem = 0
-    parallelism = 1
+    parallelism = 5
     work_factor = 2**14
 
     def encode(self, password, salt, n=None, r=None, p=None):
diff --git a/docs/releases/5.1.txt b/docs/releases/5.1.txt
index d60ccb9730..2def385f98 100644
--- a/docs/releases/5.1.txt
+++ b/docs/releases/5.1.txt
@@ -46,6 +46,9 @@ Minor features
 * The default iteration count for the PBKDF2 password hasher is increased from
   720,000 to 870,000.
 
+* In order to follow OWASP recommendations, the default ``parallelism`` of the
+  ``ScryptPasswordHasher`` is increased from 1 to 5.
+
 * :class:`~django.contrib.auth.forms.BaseUserCreationForm` and
   :class:`~django.contrib.auth.forms.AdminPasswordChangeForm` now support
   disabling password-based authentication by setting an unusable password on
diff --git a/tests/auth_tests/test_hashers.py b/tests/auth_tests/test_hashers.py
index 1b0d2c65be..bec298cc3a 100644
--- a/tests/auth_tests/test_hashers.py
+++ b/tests/auth_tests/test_hashers.py
@@ -650,8 +650,8 @@ class TestUtilsHashPassScrypt(SimpleTestCase):
         encoded = make_password("lètmein", "seasalt", "scrypt")
         self.assertEqual(
             encoded,
-            "scrypt$16384$seasalt$8$1$Qj3+9PPyRjSJIebHnG81TMjsqtaIGxNQG/aEB/NY"
-            "afTJ7tibgfYz71m0ldQESkXFRkdVCBhhY8mx7rQwite/Pw==",
+            "scrypt$16384$seasalt$8$5$ECMIUp+LMxMSK8xB/IVyba+KYGTI7FTnet025q/1f"
+            "/vBAVnnP3hdYqJuRi+mJn6ji6ze3Fbb7JEFPKGpuEf5vw==",
         )
         self.assertIs(is_password_usable(encoded), True)
         self.assertIs(check_password("lètmein", encoded), True)