On 6/3/2014 9:14 AM, Bruno Oliveira wrote:
It pretty much depends on which machine the system will run, maybe
make password salting configurable is a good idea.
I put in a JIRA for it.
https://issues.jboss.org/browse/KEYCLOAK-508
The number of iterations pretty much depends on the computational
resources, you can increase to 100.000.000 for example and make
the system vulnerable to DDoS.
With the previous default of 20000 iterations it was *already*
vulnerable to DDoS.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com