Merge #3748

3748: Bump CREDENTIAL_ROUNDS to 13 r=mergify[bot] a=nextgens

## What type of PR?

enhancement

## What does this PR do?

Bump CREDENTIAL_ROUNDS to 13. As discussed on #mailu-dev, CPUs get faster.

Benchmark it using:
```
python3 -m timeit -n 1 -s "from passlib.hash import bcrypt_sha256" "bcrypt_sha256.using(rounds=13).hash('password')"
```

### Related issue(s)
- #1753 

## Prerequisites
Before we can consider review and merge, please make sure the following list is done and checked.
If an entry in not applicable, you can check it or remove it from the list.

- [x] In case of feature or enhancement: documentation updated accordingly
- [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file.


Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>

core/admin/mailu/configuration.py

@@ -83,7 +83,7 @@ DEFAULT_CONFIG = {
     'SESSION_TIMEOUT': 3600,
     'PERMANENT_SESSION_LIFETIME': 30*24*3600,
     'SESSION_COOKIE_SECURE': None,
-    'CREDENTIAL_ROUNDS': 12,
+    'CREDENTIAL_ROUNDS': 13,
     'TLS_PERMISSIVE': True,
     'TZ': 'Etc/UTC',
     'DEFAULT_SPAM_THRESHOLD': 80,

docs/configuration.rst

@@ -221,7 +221,7 @@ The minimum length is 3 characters.
 This token must be passed as request header to the API as authentication token.
 This is a mandatory setting for using the RESTful API.
 
-The ``CREDENTIAL_ROUNDS`` (default: 12) setting is the number of rounds used by the
+The ``CREDENTIAL_ROUNDS`` (default: 13) setting is the number of rounds used by the
 password hashing scheme. The number of rounds can be reduced in case faster
 authentication is needed or increased when additional protection is desired.
 Keep in mind that this is a mitigation against offline attacks on password hashes,

towncrier/newsfragments/1753.feature

@@ -0,0 +1 @@
+Bump CREDENTIAL_ROUNDS to 13. If your system is too slow you may want to revert back to 12.