This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.
Close popover

Password hashing

Password hashing is the process of creating a fixed-length password hash from a variable-length password by using secure, cryptographic hashing algorithms. Password hashing is a one-way process; after a password has been hashed, it cannot be reverted to its original form. If a password is changed, it must go through the password hashing process again to replace the previously created password hash.

The benefit of using password hashing is that it adds an extra layer of security to passwords. The complex and irreversible nature of hashed passwords makes it extremely difficult and time-consuming to determine a hashed password value.

Hash function types

All versions of the Pega 7 Platform allow for password hashing that uses the MD5, SHA-1, and beginning with version 7.1.7, SHA-256 and SHA-512 hash functions. In Pega 7.2.2, the stronger salted bcrypt hashing algorithm is available with the Pega 7 Platform authentication process.

Dynamic System Settings for password hashing

Beginning with Pega 7.1.7, two Dynamic System Settings are involved in password hashing:

  • prconfig/crypto/onewayhashalgorithm - Specifies the hashing algorithm.

    Valid values are:

    • MD5

    • SHA-1

    • SHA-256

    • SHA-512

    • bcrypt (salted bcrypt, default from Pega 7.2.2).

  • prconfig/crypto/updatehash - Updates old password hashes to new ones by using the algorithm that is specified in the crypto/onewayhashalgorithm setting. You must create this Dynamic System Setting.

Prconfig.xml file settings for password hashing

  • Pega 7.1.6 and earlier versions

    Two prconfig.xml file settings are used in Pega 7.1.6 and earlier versions to specify which type of password hashing to use:

    • crypto/v5oneway - Adds complexity to password obfuscation beyond just hashing to strengthen password security.
    • crypto/v5onewaysha1 - Sets SHA-1 as the hashing function.

    ​If neither of these prconfig.xml file settings is specified, MD5 is set as the default hashing function.

  • Pega 7.1.7

    Starting in Pega 7.1.7, two additional prconfig.xml file settings are involved in the password hashing process:

    • crypto/onewayhashalgorithm - Specifies the hashing algorithm.
    • crypto/updatehash​ - Updates old password hashes to new ones by using the algorithm that is specified in the crypto/onewayhashalgorithm setting.
  • Pega 7.2.2 and later versions

    Beginning with Pega 7.2.2, one prconfig.xml file setting is involved in password hashing:

    • crypto/updatehash

    All other settings should be removed from the prconfig.xml file:

    • crypto/v5oneway
    • crypto/v5onewayhsha1
    • crypto/v5portable
    • crypto/onewayhashalgorithm

crypto/onewayhashalgorithm setting

This setting defines the hashing algorithm that is used for saving new passwords such as the ones created when operators change their password.

Possible values Salt supported? Usage example

MD5 (default prior to Pega 7.2.2)

No <env name="crypto/onewayhashalgorithm" value="MD5"/>

SHA-1

No <env name="crypto/onewayhashalgorithm" value="SHA-1"/>

SHA-256

Yes <env name="crypto/onewayhashalgorithm" value="SHA-256"/>

SHA-512

Yes <env name="crypto/onewayhashalgorithm" value="SHA-512"/>
bcrypt (default for Pega 7.2.2) Yes <env name="crypto/onewayhashalgorithm" value="BCRYPT"/>

crypto/updatehash setting

This setting defines whether existing passwords should be updated.

If no setting is specified, the default value is false.

Possible values Example usage

True

<env name="crypto/updatehash" value="true"/>

False

<env name="crypto/updatehash" value="false"/>

Upgrading password hashing

  • SHA-256 or SHA-512 hashing

    In Pega 7.1.7, SHA-256 and SHA-512 hash functions are available with two categories of new or existing passwords:

    • Operator passwords
    • Ruleset and update lock passwords
  • To use SHA-256 or SHA-512 password hashing with a new or existing password, configure the following settings in the prconfig.xml file:

    • crypto/onewayhashalgorithm​ to SHA-256 or SHA-512
    • crypto/updatehash to true
  • bcrypt hashing

    In Pega 7.2.2, the bcrypt hashing function is available and is the default hashing algorithm used for the Password property type.

    You can update existing passwords to use bcrypt password hashing in two ways:

    • Configure crypto/updatehash to true, in the prconfig.xml file. Remove all other cryptographic-related configurations settings from the prconfig.xml file.

    • Specify the hashing algorithm in the Dynamic System Setting prconfig/crypto/onewayhashalgorithm to bcrypt. Create the prconfig/crypto/updatehash Dynamic System Setting, and configure the value to true.

Operator passwords

After the prconfig.xml file settings are updated, the password hashing is updated automatically for operator passwords on the next login.

Ruleset and update lock passwords

For ruleset and update lock passwords, after the prconfig.xml file settings are updated, hashing is applied whenever the ruleset is unlocked and resaved or locked again. This is because the operator provides a password to lock the ruleset, which is then hashed with the new SHA-256 or SHA-512 algorithm.

Multinode update restrictions

During a rolling update, certain nodes on a system are updated with an engine code set version that supports new hashing algorithms, but some nodes are not updated and still use older algorithms. In this situation, do not apply a new password hashing setting until all nodes are updated.


100% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.