1 Description of the Password Hashing - DAM v4.9.0

Owned by Jens Fristed Navne (Unlicensed)
Jan 25, 2018
1 min read

The Digizuite™ DAM Center stores user passwords using a FIPS & NIST compliant Password Hashing algorithm by default.

The underlying key derivation function introduces workfactor and pepper variables.

 Out of the box, these variables may be specified in the web.config of the Dmm3BWSV3 service.

1.1 Workfactor

The workfactor is used to specify how expensive it would be to perform an exhaustive search (i.e. brute force). In general, the higher the better, however increasing the number will also slow down the key generation. Therefore the ideal number would depend on other factors like password policies, hardware and general use case. It would be recommended to increase this number on a regular basis to accommodate for the ever increasing power of brute force hardware. For example schedule an increase by 16000 each year.

  • Datatype: Integer
  • Minimum: 16000
  • Default: 64000

1.2 Pepper

The pepper defines a secret application-wide random byte array that is used to initialize the underlying HMAC before hashing. This ensures that an attacker has no way of actually cracking the password hashes without compromising the pepper value also. Using a pepper strategy is very powerful if done right, however it requires and demands a strong policy for storing and securing the pepper data. 

  • Datatype: Base64 encoded byte array
  • Recommended size: 128 bytes
  • Default: not set

Note: The pepper should be a cryptographically random array of bytes. 

Note: The pepper should never be stored in the same physical storage as the hash values. 

Note: If the pepper storage is lost, all passwords are by definition invalid!

Note: If you start using pepper, you cannot revert back to a non-pepper strategy.

Note: Specifying high workfactor and / or pepper does not invalidate general best practices regarding password length and complexity!