password hashing post upgrade from 7.1.x to 7.3.x
While we were on Pega 7.1.8, we needed to enable stronger password hashing, and so following the guidelines defined in the articles below, we were able to enable SHA-256 (with DSS settings below)
- https://pdn.pega.com/about-password-hashing/about-password-hashing
- Referencing question: https://pdn.pega.com/community/product-support/question/password-hashing-authentication-service
DSS Settings
- prconfig/crypto/updatehash => true
- prconfig/crypto/onewayhashalgorithm/default => SHA-512
Since then, we have upgraded to Pega 7.3.1, which (as of 7.2.2) uses bcrypt as a default hash algorithm. My questions to support community are:
- Do we need to keep the same DSS (updated to bcrypt) or system should use bcrypt by default if they are removed
- Is the logic behind updatehash defaulted to true if this DSS is removed? Would there be an issue with operators having older passwords logging in?
Thanks,
***Edited by Moderator Marissa to update SR Details***
Posted: 2 years ago
The system will use bcrypt if the setting prconfig/crypto/onewayhashalgorithm/default is removed.
The updatehash feature defaults to false, so do not remove it if you want to update password hashes to use the stronger algorithm.
There should be no issues for operators whose passwords are stored using a previously specified algorithm