Fixing the docs about default hashing iterations (#27020)

closes #26816 Signed-off-by: mposolda <mposolda@gmail.com> Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
2024-02-15 08:11:44 +01:00 · 2024-02-15 08:11:44 +01:00 · e2fb8406a3
commit e2fb8406a3
parent df38081fe8
2 changed files with 6 additions and 4 deletions
--- a/docs/documentation/server_admin/topics/admin-cli.adoc
+++ b/docs/documentation/server_admin/topics/admin-cli.adoc
@ -1778,7 +1778,7 @@ $ kcadm.sh create components -r demorealm -s name=full-name-ldap-mapper -s provi
 . Set the realm's `passwordPolicy` attribute to an enumeration expression that includes the specific policy provider ID and optional configuration.
 . Use the following example to set a password policy to default values. The default values include:

-* 27,500 hashing iterations
+* 210,000 hashing iterations
 * at least one special character
 * at least one uppercase character
 * at least one digit character
@ -1792,7 +1792,7 @@ $ kcadm.sh update realms/demorealm -s 'passwordPolicy="hashIterations and specia
 . To use values different from defaults, pass the configuration in brackets.
 . Use the following example to set a password policy to:

-* 25,000 hash iterations
+* 300,000 hash iterations
 * at least two special characters
 * at least two uppercase characters
 * at least two lowercase characters
@ -1803,7 +1803,7 @@ $ kcadm.sh update realms/demorealm -s 'passwordPolicy="hashIterations and specia
 +
 [options="nowrap"]
 ----
-$ kcadm.sh update realms/demorealm -s 'passwordPolicy="hashIterations(25000) and specialChars(2) and upperCase(2) and lowerCase(2) and digits(2) and length(9) and notUsername and passwordHistory(4)"'
+$ kcadm.sh update realms/demorealm -s 'passwordPolicy="hashIterations(300000) and specialChars(2) and upperCase(2) and lowerCase(2) and digits(2) and length(9) and notUsername and passwordHistory(4)"'
 ----

 [discrete]
--- a/docs/documentation/server_admin/topics/authentication/password-policies.adoc
+++ b/docs/documentation/server_admin/topics/authentication/password-policies.adoc
@ -34,7 +34,9 @@ If you change the hashing algorithm, password hashes in storage will not change
 ====

 ===== Hashing iterations
-Specifies the number of times {project_name} hashes passwords before storage or verification. The default value is 27,500.
+Specifies the number of times {project_name} hashes passwords before storage or verification. The default value is 210,000 in case that `pbkdf2-sha512` is used as hashing algorithm, which is by default.
+If other hash algorithms are explicitly set by using the`HashAlgorithm` policy, the default count of hashing iterations could be different. For instance, it is 600,000 by default if  the`pbkdf2-sha256` algorithm is used or 1,300,000 if
+the `pbkdf2` algorithm (Algorithm `pbkdf2` corresponds to PBKDF2 with HMAC-SHA1).

 {project_name} hashes passwords to ensure that hostile actors with access to the password database cannot read passwords through reverse engineering.