diff --git a/docs/documentation/server_admin/topics/admin-cli.adoc b/docs/documentation/server_admin/topics/admin-cli.adoc index 0e8f9557cc..623cbe524e 100644 --- a/docs/documentation/server_admin/topics/admin-cli.adoc +++ b/docs/documentation/server_admin/topics/admin-cli.adoc @@ -1778,7 +1778,7 @@ $ kcadm.sh create components -r demorealm -s name=full-name-ldap-mapper -s provi . Set the realm's `passwordPolicy` attribute to an enumeration expression that includes the specific policy provider ID and optional configuration. . Use the following example to set a password policy to default values. The default values include: -* 27,500 hashing iterations +* 210,000 hashing iterations * at least one special character * at least one uppercase character * at least one digit character @@ -1792,7 +1792,7 @@ $ kcadm.sh update realms/demorealm -s 'passwordPolicy="hashIterations and specia . To use values different from defaults, pass the configuration in brackets. . Use the following example to set a password policy to: -* 25,000 hash iterations +* 300,000 hash iterations * at least two special characters * at least two uppercase characters * at least two lowercase characters @@ -1803,7 +1803,7 @@ $ kcadm.sh update realms/demorealm -s 'passwordPolicy="hashIterations and specia + [options="nowrap"] ---- -$ kcadm.sh update realms/demorealm -s 'passwordPolicy="hashIterations(25000) and specialChars(2) and upperCase(2) and lowerCase(2) and digits(2) and length(9) and notUsername and passwordHistory(4)"' +$ kcadm.sh update realms/demorealm -s 'passwordPolicy="hashIterations(300000) and specialChars(2) and upperCase(2) and lowerCase(2) and digits(2) and length(9) and notUsername and passwordHistory(4)"' ---- [discrete] diff --git a/docs/documentation/server_admin/topics/authentication/password-policies.adoc b/docs/documentation/server_admin/topics/authentication/password-policies.adoc index 1b6c5f1598..94893818fa 100644 --- a/docs/documentation/server_admin/topics/authentication/password-policies.adoc +++ b/docs/documentation/server_admin/topics/authentication/password-policies.adoc @@ -34,7 +34,9 @@ If you change the hashing algorithm, password hashes in storage will not change ==== ===== Hashing iterations -Specifies the number of times {project_name} hashes passwords before storage or verification. The default value is 27,500. +Specifies the number of times {project_name} hashes passwords before storage or verification. The default value is 210,000 in case that `pbkdf2-sha512` is used as hashing algorithm, which is by default. +If other hash algorithms are explicitly set by using the`HashAlgorithm` policy, the default count of hashing iterations could be different. For instance, it is 600,000 by default if the`pbkdf2-sha256` algorithm is used or 1,300,000 if +the `pbkdf2` algorithm (Algorithm `pbkdf2` corresponds to PBKDF2 with HMAC-SHA1). {project_name} hashes passwords to ensure that hostile actors with access to the password database cannot read passwords through reverse engineering.