DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
Go

Go

Made by DeepSource
Use Analyzer

Using less than 310,000 iterations for PBKDF2 GO-S1037

Security
Major
 a02 owasp top 10

Using a more significant amount of iterations significantly increases the compute required to brute-force the passwords from the keys. OWASP recommends using more than 310,000 iterations for PBKDF2. But do note that there's a trade-off, a higher iteration count will increase the cost of an exhaustive search and make derivation proportionally slower.

Bad practice

package main

import (
    "crypto/sha256"

    "golang.org/x/crypto/pbkdf2"
)

func main() {
    pbkdf2.Key([]byte("pass"), []byte("salt"), 10000, 64, sha256.New) // using less than 310,000 iterations
}

Recommended

package main

import (
    "crypto/sha256"

    "golang.org/x/crypto/pbkdf2"
)

func main() {
    pbkdf2.Key([]byte("pass"), []byte("salt"), 310000, 64, sha256.New)
}

References