From a706b545603cb561ca3da6e9d8344f04179d6207 Mon Sep 17 00:00:00 2001
From: csteipp <csteipp@wikimedia.org>
Date: Tue, 5 Jan 2016 16:09:33 -0800
Subject: [PATCH] Increase and tune pbkdf2 hashing parameters

Improve generation parameters to both reduce the amount of work we do
computing the hash, and increase the work required for an attacker.

Bug: T116030
Change-Id: Ib7282dac3549688163811965ebef5fb3914875c4
---
 wmf-config/CommonSettings.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/wmf-config/CommonSettings.php b/wmf-config/CommonSettings.php
index 13754c5..866873f 100644
--- a/wmf-config/CommonSettings.php
+++ b/wmf-config/CommonSettings.php
@@ -328,7 +328,12 @@ if ( $wgDBname === 'labswiki' ) {
 // Use PBKDF2 for password hashing (T70766)
 $wgPasswordDefault = 'pbkdf2';
 // This needs to be increased as allowable by server performance
-$wgPasswordConfig['pbkdf2']['cost'] = '64000';
+$wgPasswordConfig['pbkdf2'] = array(
+	'class' => 'Pbkdf2Password',
+	'algo' => 'sha512',
+	'cost' => '128000',
+	'length' => '64',
+);
 
 if ( $wgDBname === 'labswiki' ) {
 	$wgPasswordPolicy['policies']['default']['MinimalPasswordLength'] = 10;
-- 
1.8.4.5