From 571ff22e3f5ff05aac3081be2f08d89540cd1a68 Mon Sep 17 00:00:00 2001
From: Jonathan Hooper <jon9820@gmail.com>
Date: Mon, 23 Jul 2018 12:10:09 -0500
Subject: [PATCH] LG-489 Adjust scrypt cost (#2353)

**Why**: A 2017 paper on the SCrypt site offers the following guidelines
for SCrypt parameters for an interactive login:

    N = 2^14; r = 8; p = 4

Note that the parameter p offers the same time-memory tradeoff for both
the legitimate user and the attacker, while the parameter N offers more
advantage for the user. For that reason, this commit sets the default
scrypt cost to:

   N = 2^16; r = 8; p = 1

ref: https://blog.filippo.io/the-scrypt-parameters/
---
 config/application.yml.example | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/application.yml.example b/config/application.yml.example
index 922451accb1..d6ff2f05417 100644
--- a/config/application.yml.example
+++ b/config/application.yml.example
@@ -173,7 +173,7 @@ development:
   saml_secret_rotation_path_suffix:
   saml_secret_rotation_secret_key:
   saml_secret_rotation_secret_key_password:
-  scrypt_cost: '4000$8$4$' # SCrypt::Engine.calibrate(max_time: 0.5)
+  scrypt_cost: '10000$8$1$'
   secret_key_base: 'development_secret_key_base'
   service_timeout: '30'
   session_encryption_key: '27bad3c25711099429c1afdfd1890910f3b59f5a4faec1c85e945cb8b02b02f261ba501d99cfbb4fab394e0102de6fecf8ffe260f322f610db3e96b2a775c120'
@@ -295,7 +295,7 @@ production:
   saml_secret_rotation_path_suffix:
   saml_secret_rotation_secret_key:
   saml_secret_rotation_secret_key_password:
-  scrypt_cost: '4000$8$4$' # SCrypt::Engine.calibrate(max_time: 0.5)
+  scrypt_cost: '10000$8$1$'
   secret_key_base: # generate via `rake secret`
   session_encryption_key: # generate via `rake secret`
   session_timeout_in_minutes: '15'