Increase iteration configuration for SHA-512 password hashing

[brynwhyman]

Overview

CWP password hashing for versions 2.4 and above was updated in #51 to use SHA-512 rather than blowfish for password hashing.

However, the current iteration configuration is below recommended security guidelines. The security of PBKDF2 comes from the number of rounds performed. The current configuration, as shown in the source code below, sets a default cost of 10000 iterations. Security recommendations for PBKDF2 are to increase the cost to an acceptable delay and resource consumption level above 27,000. This will depend on server architecture and available resources.

Path: vendor\cwp\cwp-core\src\PasswordEncryptor\PBKDF2.php
protected $iterations = 10000;

Recommendation

• Configure the PBKDF2 default iterations to use any tolerable cost above 27,000.
• Confirm with TSP that server architecture can support this.

Note: User's passwords would need to be rehashed after this configuration change, so we should make this change before CWP 2.4 is released, so the old iteration doesn't make it to production.

[Cheddam]

Tested increase to 30,000 iterations on a small CWP instance, and did not appear to have any impact on performance. Fixed in #77.