Question

1
Replies
292
Views
 Eugene Roytfeld (EugeneR7)
Deutsche Bank
Vice President
Deutsche Bank
US
EugeneR7 Member since 2013 30 posts
Deutsche Bank
Posted: May 10, 2018
Last activity: May 18, 2018
Posted: 10 May 2018 10:51 EDT
Last activity: 18 May 2018 14:42 EDT
Closed

password hashing post upgrade from 7.1.x to 7.3.x

While we were on Pega 7.1.8, we needed to enable stronger password hashing, and so following the guidelines defined in the articles below, we were able to enable SHA-256 (with DSS settings below)

DSS Settings

  • prconfig/crypto/updatehash => true
  • prconfig/crypto/onewayhashalgorithm/default => SHA-512

Since then, we have upgraded to Pega 7.3.1, which (as of 7.2.2) uses bcrypt as a default hash algorithm. My questions to support community are:

  • Do we need to keep the same DSS (updated to bcrypt) or system should use bcrypt by default if they are removed
  • Is the logic behind updatehash defaulted to true if this DSS is removed? Would there be an issue with operators having older passwords logging in?

Thanks,

***Edited by Moderator Marissa to update SR Details***

Security System Administration Upgrades Support Case Exists
Moderation Team has archived post, This thread is closed to future replies. Content and links will no longer be updated. If you have the same/similar Question, please write a new Question.
Posted: 3 years ago
Posted: 18 May 2018 12:21 EDT
Marty Solomon (SOLOM)
PEGA
Senior Director Software Security Architecture
Pegasystems Inc.
US

The system will use bcrypt if the setting prconfig/crypto/onewayhashalgorithm/default is removed.


The updatehash feature defaults to false, so do not remove it if you want to update password hashes to use the stronger algorithm.


There should be no issues for operators whose passwords are stored using a previously specified algorithm