Update KDF Configuration and processing

- Change default Password Hash KDF Storage from 100_000 to 600_000 iterations
- Update Password Hash when the default iteration value is different
- Validate password_iterations
- Validate client-side KDF to prevent it from being set lower than 100_000

src/config.rs

@@ -463,9 +463,9 @@ make_config! {
         invitation_expiration_hours: u32, false, def, 120;
         /// Allow emergency access |> Controls whether users can enable emergency access to their accounts. This setting applies globally to all users.
         emergency_access_allowed:    bool,   true,   def,    true;
-        /// Password iterations |> Number of server-side passwords hashing iterations.
-        /// The changes only apply when a user changes their password. Not recommended to lower the value
-        password_iterations:    i32,    true,   def,    100_000;
+        /// Password iterations |> Number of server-side passwords hashing iterations for the password hash.
+        /// The default for new users. If changed, it will be updated during login for existing users.
+        password_iterations:    i32,    true,   def,    600_000;
         /// Allow password hints |> Controls whether users can set password hints. This setting applies globally to all users.
         password_hints_allowed: bool,   true,   def,    true;
         /// Show password hint |> Controls whether a password hint should be shown directly in the web page
@@ -673,6 +673,10 @@ fn validate_config(cfg: &ConfigItems) -> Result<(), Error> {
         }
     }
 
+    if cfg.password_iterations < 100_000 {
+        err!("PASSWORD_ITERATIONS should be at least 100000 or higher. The default is 600000!");
+    }
+
     let limit = 256;
     if cfg.database_max_conns < 1 || cfg.database_max_conns > limit {
         err!(format!("`DATABASE_MAX_CONNS` contains an invalid value. Ensure it is between 1 and {limit}.",));