libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

cleaned up hashing iteration paragraph

Browse source
This commit is contained in:
Chuck Copello 2017-02-15 12:01:01 -05:00 committed by Jen Malloy
parent 913c681cca
commit 8220778a35
1 changed files with 10 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
server_admin/topics/authentication/password-policies.adoc
View file

@ -29,24 +29,23 @@ Here's an explanation of each policy type:
{% if book.community %}
HashAlgorithm::
Passwords are not stored as clear text. Instead they are hashed using standard hashing algorithms before they are stored or validated.
The only built-in and default algorithm available is PBKDF2. See the link:{{book.project.doc_base_url}}{{book.project.doc_info_version_url}}{{book.developerguide.link}}[{{book.developerguide.name}}]
on how to plug in your own algorithm. Note that if you do change the algorithm, password hashes will not change in storage until
Passwords are not stored as clear text. Instead they are hashed using standard hashing algorithms before they are stored or validated.
The only built-in and default algorithm available is PBKDF2. See the link:{{book.project.doc_base_url}}{{book.project.doc_info_version_url}}{{book.developerguide.link}}[{{book.developerguide.name}}]
on how to plug in your own algorithm. Note that if you do change the algorithm, password hashes will not change in storage until
the next time the user logs in.
{% endif %}
{% if book.product %}
Hashing Algorithm::
Passwords are not stored as clear text. Instead they are hashed using standard hashing algorithms before they are stored or validated.
Passwords are not stored as clear text. Instead they are hashed using standard hashing algorithms before they are stored or validated.
The only currently supported algorithm is PBKDF2.
{% endif %}
Hashing Iterations::
This value specifies the number of times a password will be hashed before it is stored or verified. The default value is 20,000.
This hashing is done in the rare case that a hacker gets access to your password database. Once they have the database
This value specifies the number of times a password will be hashed before it is stored or verified. The default value is 20,000.
This hashing is done in the rare case that a hacker gets access to your password database. Once they have access to the database,
they can reverse engineer user passwords.
The industry recommended value for this parameter changes every year as CPU power improves. The current recommended value
is 20,000. Yes, 20,000 iterations! This is a very intensive CPU operation and with this high of a setting your servers
are going to be spending most of their CPU power on hashing. You'll have to weigh what is more important to you. Performance
or protecting your passwords stores. There may be more cost effective ways of protecting your password stores.
The industry recommended value for this parameter changes every year as CPU power improves. A higher hashing iteration value takes more CPU power for hashing,
and can impact performance. You'll have to weigh what is more important to you. Performance or protecting your passwords stores.
There may be more cost effective ways of protecting your password stores.
Digits::
The number of digits required to be in the password string.
Lowercase Characters::
@ -62,5 +61,5 @@ Regular Expression::
Expire Password::
The number of days for which the password is valid. After the number of days has expired, the user is required to change their password.
Not Recently Used::
This policy saves a history of previous passwords. The number of old passwords stored is configurable. When a user changes their password
This policy saves a history of previous passwords. The number of old passwords stored is configurable. When a user changes their password
they cannot use any stored passwords.