Iteration count of key derivation is obsolete and insecure

As of now, the iteration count is 1000.

At the same time 1Password increased their count from 100000 to 650000.
OWASP recommended 600,000 iterations for PBKDF-HMAC-SHA256.

The standard was written 24 years ago recommending a minimum number of 1000, with the intention of increasing as CPU speeds increase. A count of 1000 is too low for today’s CPU speeds.


Is there any development going on regarding this issue?

I have seen a pull request from 杨赫然 on the seafile-server project regarding this issue to propose encryption v5. Is this being reviewed?

Intentionally using weak encryption is a dealbreaker for us.

Actually the pr for encryption v5 is obsolete. We have a new design to use Argon2 for key derivation. You can find the new PR: Support argon2id password hash algo by feiniks · Pull Request #637 · haiwen/seafile-server · GitHub . The plan is to release it in version 12.