Info |
---|
This article is added with Smart ID 23.10.2. |
...
Note |
---|
Password hashes stored directly in Smart ID Identity Manager for CoreObject users and internal users are affected by the changed default algorithm. |
Configure user password hashing
Expand | ||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||||||||||||
Smart ID Identity Manager uses Argon2id to hash user passwords, which provides higher resistance against GPU-based attacks by being memory-hard.
You can customize several algorithm parameters to balance security with resource consumption (CPU/memory). The default values are chosen based on the defaults of Spring-Security 5.8+ and recommendations by the Open Worldwide Application Security Project (OWASP), as of end of August 2023, with some differences:
|
Handle legacy hashes
Expand | ||
---|---|---|
| ||
Existing BCrypt2a password hashes can still be used for verification, but you must change the existing passwords to gain the benefits of Argon2id. |
Expand | ||
---|---|---|
| ||
Existing SHA-256 password hashes can still be used for verification, but it is recommended to change existing passwords that were hashed this way. Make sure that you run PRIME or Identity Manager 3.7 or later before changing. PRIME 3.6.8 was the last version to create these hashes by default (via Spring 4's ShaPasswordEncoder with predefined rounds and an optional, fixed salt), before version 3.7 switched to BCrypt2. You can search for the hashes in the Identity Manager database by searching for hashes that are a 64-character hex-string instead of starting with $argon2id$ (for Argon2id) or $2a$ (for BCrypt2a). Search for the following:
|
Expand | ||
---|---|---|
| ||
Importing an existing configuration .zip that contains internal users will overwrite password hashes, potentially with older, insecure hashes or newer, incompatible ones. Make sure to consider this when working with multiple different PRIME or Identity Manager versions and their configurations. |
Related information
- Argon2id
- Argon2 spec
- BCrypt2a
- defaults of Spring-Security 5.8+
- recommendations by OWASP
- OWASP
- Post by Steve Thomas from OWASP
- Spring MessageDigestPasswordEncoder (recomends adaptive one-way functions)
- Spring 4's ShaPasswordEncoder