Hi Matthew,
We believe at this time that the right balance for most web applications is to use 1000 iterations. There is a trade-off in security in terms of balancing how many iterations (more is better) and how long it takes to calculate those iterations (more is worse). If the iterations are increased too much, then a rather trivial DoS attack becomes possible on the server.
We do not have plans at this time to change the iteration count or to make it configurable. However, applications in ASP.NET can always choose to implement their own security functionality if there is a specific application requirement that is not available in ASP.NET's libraries.
The Security StackExchange post linked to (http://security.stackexchange.com/questions/3959/recommended-of-iterations-when-using-pkbdf2-sha256) has some great answers on the subject regarding the various trade-offs and consequences of changing the iterations.
Thanks,
Eilon
We believe at this time that the right balance for most web applications is to use 1000 iterations. There is a trade-off in security in terms of balancing how many iterations (more is better) and how long it takes to calculate those iterations (more is worse). If the iterations are increased too much, then a rather trivial DoS attack becomes possible on the server.
We do not have plans at this time to change the iteration count or to make it configurable. However, applications in ASP.NET can always choose to implement their own security functionality if there is a specific application requirement that is not available in ASP.NET's libraries.
The Security StackExchange post linked to (http://security.stackexchange.com/questions/3959/recommended-of-iterations-when-using-pkbdf2-sha256) has some great answers on the subject regarding the various trade-offs and consequences of changing the iterations.
Thanks,
Eilon