Password hashing is the process of creating a fixed-length password hash from a variable-length password by using secure, cryptographic hashing algorithms. Password hashing is a one-way process; after a password has been hashed, it cannot be reverted to its original form. If a password is changed, it must go through the password hashing process again to replace the previously created password hash.
The benefit of using password hashing is that it adds an extra layer of security to passwords. The complex and irreversible nature of hashed passwords makes it extremely difficult and time-consuming to determine a hashed password value.
Hash function types
All versions of the Pega 7 Platform allow for password hashing that uses the MD5, SHA-1, and beginning with version 7.1.7, SHA-256 and SHA-512 hash functions. In Pega 7.2.2, the stronger salted bcrypt hashing algorithm is available with the Pega 7 Platform authentication process.
Dynamic System Settings for password hashing
Beginning with Pega 7.1.7, two Dynamic System Settings are involved in password hashing:
Valid values are:
- Specifies the hashing algorithm.
bcrypt (salted bcrypt, default from Pega 7.2.2).
- - Updates old password hashes to new ones by using the algorithm that is specified in the setting. You must create this Dynamic System Setting.
Prconfig.xml file settings for password hashing
Pega 7.1.6 and earlier versions
Two prconfig.xml file settings are used in Pega 7.1.6 and earlier versions to specify which type of password hashing to use:
- - Adds complexity to password obfuscation beyond just hashing to strengthen password security.
- - Sets SHA-1 as the hashing function.
If neither of these prconfig.xml file settings is specified, MD5 is set as the default hashing function.
Starting in Pega 7.1.7, two additional prconfig.xml file settings are involved in the password hashing process:
- crypto/onewayhashalgorithm - Specifies the hashing algorithm.
- crypto/updatehash - Updates old password hashes to new ones by using the algorithm that is specified in the setting.
Pega 7.2.2 and later versions
Beginning with Pega 7.2.2, one prconfig.xml file setting is involved in password hashing:
All other settings should be removed from the prconfig.xml file:
This setting defines the hashing algorithm that is used for saving new passwords such as the ones created when operators change their password.
|Possible values||Salt supported?||Usage example|
MD5 (default prior to Pega 7.2.2)
|No||<env name="crypto/onewayhashalgorithm" value="MD5"/>|
|No||<env name="crypto/onewayhashalgorithm" value="SHA-1"/>|
|Yes||<env name="crypto/onewayhashalgorithm" value="SHA-256"/>|
|Yes||<env name="crypto/onewayhashalgorithm" value="SHA-512"/>|
|bcrypt (default for Pega 7.2.2)||Yes||<env name="crypto/onewayhashalgorithm" value="BCRYPT"/>|
This setting defines whether existing passwords should be updated.
If no setting is specified, the default value is false.
|Possible values||Example usage|
|<env name="crypto/updatehash" value="true"/>|
|<env name="crypto/updatehash" value="false"/>|
Upgrading password hashing
SHA-256 or SHA-512 hashing
In Pega 7.1.7, SHA-256 and SHA-512 hash functions are available with two categories of new or existing passwords:
- Operator passwords
- Ruleset and update lock passwords
To use SHA-256 or SHA-512 password hashing with a new or existing password, configure the following settings in the prconfig.xml file:
- to SHA-256 or SHA-512
- to true
In Pega 7.2.2, the bcrypt hashing function is available and is the default hashing algorithm used for the Password property type.
You can update existing passwords to use bcrypt password hashing in two ways:
Configureto true, in the prconfig.xml file. Remove all other cryptographic-related configurations settings from the file.
Specify the hashing algorithm in the Dynamic System Settingto bcrypt. Create the Dynamic System Setting, and configure the value to true.
After the prconfig.xml file settings are updated, the password hashing is updated automatically for operator passwords on the next login.
Ruleset and update lock passwords
For ruleset and update lock passwords, after the prconfig.xml file settings are updated, hashing is applied whenever the ruleset is unlocked and resaved or locked again. This is because the operator provides a password to lock the ruleset, which is then hashed with the new SHA-256 or SHA-512 algorithm.
Multinode update restrictions
During a rolling update, certain nodes on a system are updated with an engine code set version that supports new hashing algorithms, but some nodes are not updated and still use older algorithms. In this situation, do not apply a new password hashing setting until all nodes are updated.