diff --git a/server_admin/topics/authentication/password-policies.adoc b/server_admin/topics/authentication/password-policies.adoc index 99d46cedf4..941057e517 100644 --- a/server_admin/topics/authentication/password-policies.adoc +++ b/server_admin/topics/authentication/password-policies.adoc @@ -29,24 +29,23 @@ Here's an explanation of each policy type: {% if book.community %} HashAlgorithm:: - Passwords are not stored as clear text. Instead they are hashed using standard hashing algorithms before they are stored or validated. - The only built-in and default algorithm available is PBKDF2. See the link:{{book.project.doc_base_url}}{{book.project.doc_info_version_url}}{{book.developerguide.link}}[{{book.developerguide.name}}] - on how to plug in your own algorithm. Note that if you do change the algorithm, password hashes will not change in storage until + Passwords are not stored as clear text. Instead they are hashed using standard hashing algorithms before they are stored or validated. + The only built-in and default algorithm available is PBKDF2. See the link:{{book.project.doc_base_url}}{{book.project.doc_info_version_url}}{{book.developerguide.link}}[{{book.developerguide.name}}] + on how to plug in your own algorithm. Note that if you do change the algorithm, password hashes will not change in storage until the next time the user logs in. {% endif %} {% if book.product %} Hashing Algorithm:: - Passwords are not stored as clear text. Instead they are hashed using standard hashing algorithms before they are stored or validated. + Passwords are not stored as clear text. Instead they are hashed using standard hashing algorithms before they are stored or validated. The only currently supported algorithm is PBKDF2. {% endif %} Hashing Iterations:: - This value specifies the number of times a password will be hashed before it is stored or verified. The default value is 20,000. - This hashing is done in the rare case that a hacker gets access to your password database. Once they have the database + This value specifies the number of times a password will be hashed before it is stored or verified. The default value is 20,000. + This hashing is done in the rare case that a hacker gets access to your password database. Once they have access to the database, they can reverse engineer user passwords. - The industry recommended value for this parameter changes every year as CPU power improves. The current recommended value - is 20,000. Yes, 20,000 iterations! This is a very intensive CPU operation and with this high of a setting your servers - are going to be spending most of their CPU power on hashing. You'll have to weigh what is more important to you. Performance - or protecting your passwords stores. There may be more cost effective ways of protecting your password stores. + The industry recommended value for this parameter changes every year as CPU power improves. A higher hashing iteration value takes more CPU power for hashing, + and can impact performance. You'll have to weigh what is more important to you. Performance or protecting your passwords stores. + There may be more cost effective ways of protecting your password stores. Digits:: The number of digits required to be in the password string. Lowercase Characters:: @@ -62,5 +61,5 @@ Regular Expression:: Expire Password:: The number of days for which the password is valid. After the number of days has expired, the user is required to change their password. Not Recently Used:: - This policy saves a history of previous passwords. The number of old passwords stored is configurable. When a user changes their password + This policy saves a history of previous passwords. The number of old passwords stored is configurable. When a user changes their password they cannot use any stored passwords.