Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

Description

The Digizuite™ DAM Center stores user passwords using a FIPS & NIST compliant Password Hashing algorithm by default.
The underlying key derivation function introduces "workfactor" and "pepper" variables.
Out of the box, these variables may be specified in the web.config of the Dmm3BWSV3 service.

  • Workfactor
    Datatype: Integer.
    Minimum 16000.
    Default: 64000.
    The workfactor is used to specify how expensive it would be to perform an exhaustive search (i.e. brute force). In general the higher the better, however increasing the number will also slow down the key generation. Therefore the ideal number would depend on other factors like password policies, hardware and general use case. It would be recommended to increase this number on a regular basis to accommodate for the ever increasing power of brute force hardware. For example schedule an increase by 16000 each year.
     
  • Pepper
    Datatype: Base64 encoded byte array.
    Recommended size: 128 bytes.
    Default not set.
    The pepper defines a secret application-wide random byte array that is used to initialize the underlying HMAC before hashing. This ensures that an attacker has no way of actually cracking the password hashes without compromising the pepper value also. Using a pepper strategy is very powerful if done right, however it requires and demands a strong policy for storing and securing the pepper data.

    * The pepper should never be stored in the same physical storage as the hash values.
    * If the pepper storage is lost, all passwords are by definition invalid!
    * If you start using pepper, you cannot revert back to a non-pepper strategy.

Note: 
Specifying high Workfactor and / or Pepper does not invalidate general best practices regarding password length and complexity!

Configuration

By default, you can specify password hashing configuration in the Dmm3BWSV3 web.config file.
You do not have to setup this configuration as it would default to the above values. However if you specify this section, the "workfactor" attribute is required, the pepper is not. 
 

This example shows how to setup a system using a workfactor of 80000 and a custom 32 byte pepper (for example readability):

<configuration>
  <configSections>
    <section name="passwordHashing" type="Digieyez.Digizuite.DigiZuiteLogic.PasswordHandling.Configuration.PasswordHashingSection" />
  </configSections>
  <connectionStrings />
  <passwordHashing workfactor="80000" pepper="hOHdlAaF3xZA4uON5hMuNiBeV5kfudE1w1szOLJ/Mjk=" />
</configuration>


This example shows the default configuration:

<configuration>
  <configSections>
    <section name="passwordHashing" type="Digieyez.Digizuite.DigiZuiteLogic.PasswordHandling.Configuration.PasswordHashingSection" />
  </configSections>
  <connectionStrings />
  <passwordHashing workfactor="64000" pepper="" />
</configuration>
  • No labels