set password-storage Command
The set password-storage command lets you select a hashing method for passwords stored in the directory.
cad1214
The
set password-storage
command lets you select a hashing method for passwords stored in the directory.This command has the following format:
set password-storage = ssha-512 | sha-512 | ssha-1 | sha-1 | pbkdf2 | crypt | md5 | smd5 | none;
- ssha-512(Default) Hashes the password using the Salted SHA-512 algorithm.
- sha-512Hashes the password using the SHA-512 algorithm.
- ssha-1Hashes the password using the Salted SHA-1 algorithm. This algorithm produces a different hash even for the same clear text password, which is more secure.
- sha-1Hashes the password using the SHA-1 algorithm.
- pbkdf2Hashes the password using the PBKDF2 (Password-Based Key Derivation Function 2) method.
- cryptHashes the password using the UNIX crypt method.
- md5Hashes the password using the Message Digest algorithm.
- smd5Hashes the password using the Salted Message Digest algorithm.
- nonePasswords are not hashed. This should only be used for testing.
Supporting Commands for the PBKDF2 Hashing Method
set pbkdf2-iterations Command
This command increases the computation time to derive a hash, thus, making dictionary-based and brute force attacks more difficult.
This command has the following format:
set pbkdf2-iterations = <num>;
Where <num> is a value greater than 0. This value specifies the number of iterations when deriving a hash.
Default:
64000When you decide to use the PBKDF2 hashing method for improved security, keep in mind the computation cost. The larger the number of iterations, the higher is the cost.
set salt-length Command
This command has the following format:
set salt-length = <num>;
Where <num> is a value from 8 through 65544 that is divisible by 8. This value (in bits) is the length of the salt (random data) included with the password.
Using this method makes it difficult to pregenerate a table of hashes for a given password value.
Default:
128set pbkdf2-digest-length Command
This command has the following format:
set pbkdf2-digest-length = <num>;
Where <num> is a value from 8 through 65544 that is divisible by 8. This value (in bits) is the length of the hash generated.
Default:
128 These default values must be reviewed annually to take into account computational speed of machines increasing over time.