Fixing the docs about default hashing iterations (#27020)

closes #26816

Signed-off-by: mposolda <mposolda@gmail.com>


Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
This commit is contained in:
Marek Posolda 2024-02-15 08:11:44 +01:00 committed by GitHub
parent df38081fe8
commit e2fb8406a3
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 6 additions and 4 deletions

View file

@ -1778,7 +1778,7 @@ $ kcadm.sh create components -r demorealm -s name=full-name-ldap-mapper -s provi
. Set the realm's `passwordPolicy` attribute to an enumeration expression that includes the specific policy provider ID and optional configuration. . Set the realm's `passwordPolicy` attribute to an enumeration expression that includes the specific policy provider ID and optional configuration.
. Use the following example to set a password policy to default values. The default values include: . Use the following example to set a password policy to default values. The default values include:
* 27,500 hashing iterations * 210,000 hashing iterations
* at least one special character * at least one special character
* at least one uppercase character * at least one uppercase character
* at least one digit character * at least one digit character
@ -1792,7 +1792,7 @@ $ kcadm.sh update realms/demorealm -s 'passwordPolicy="hashIterations and specia
. To use values different from defaults, pass the configuration in brackets. . To use values different from defaults, pass the configuration in brackets.
. Use the following example to set a password policy to: . Use the following example to set a password policy to:
* 25,000 hash iterations * 300,000 hash iterations
* at least two special characters * at least two special characters
* at least two uppercase characters * at least two uppercase characters
* at least two lowercase characters * at least two lowercase characters
@ -1803,7 +1803,7 @@ $ kcadm.sh update realms/demorealm -s 'passwordPolicy="hashIterations and specia
+ +
[options="nowrap"] [options="nowrap"]
---- ----
$ kcadm.sh update realms/demorealm -s 'passwordPolicy="hashIterations(25000) and specialChars(2) and upperCase(2) and lowerCase(2) and digits(2) and length(9) and notUsername and passwordHistory(4)"' $ kcadm.sh update realms/demorealm -s 'passwordPolicy="hashIterations(300000) and specialChars(2) and upperCase(2) and lowerCase(2) and digits(2) and length(9) and notUsername and passwordHistory(4)"'
---- ----
[discrete] [discrete]

View file

@ -34,7 +34,9 @@ If you change the hashing algorithm, password hashes in storage will not change
==== ====
===== Hashing iterations ===== Hashing iterations
Specifies the number of times {project_name} hashes passwords before storage or verification. The default value is 27,500. Specifies the number of times {project_name} hashes passwords before storage or verification. The default value is 210,000 in case that `pbkdf2-sha512` is used as hashing algorithm, which is by default.
If other hash algorithms are explicitly set by using the`HashAlgorithm` policy, the default count of hashing iterations could be different. For instance, it is 600,000 by default if the`pbkdf2-sha256` algorithm is used or 1,300,000 if
the `pbkdf2` algorithm (Algorithm `pbkdf2` corresponds to PBKDF2 with HMAC-SHA1).
{project_name} hashes passwords to ensure that hostile actors with access to the password database cannot read passwords through reverse engineering. {project_name} hashes passwords to ensure that hostile actors with access to the password database cannot read passwords through reverse engineering.