set password-storage Command

The set password-storage command lets you select a hashing method for passwords stored in the directory.
cad1214
The
set password-storage
command lets you select a hashing method for passwords stored in the directory.
This command has the following format:
set password-storage = ssha-512 | sha-512 | ssha-1 | sha-1 | pbkdf2 | crypt | md5 | smd5 | none;
  • ssha-512
    (Default) Hashes the password using the Salted SHA-512 algorithm.
  • sha-512
    Hashes the password using the SHA-512 algorithm.
  • ssha-1
    Hashes the password using the Salted SHA-1 algorithm. This algorithm produces a different hash even for the same clear text password, which is more secure.
  • sha-1
    Hashes the password using the SHA-1 algorithm.
  • pbkdf2
    Hashes the password using the PBKDF2 (Password-Based Key Derivation Function 2) method.
  • crypt
    Hashes the password using the UNIX crypt method.
  • md5
    Hashes the password using the Message Digest algorithm.
  • smd5
    Hashes the password using the Salted Message Digest algorithm.
  • none
    Passwords are not hashed. This should only be used for testing.
Supporting Commands for the PBKDF2 Hashing Method
set pbkdf2-iterations Command
This command increases the computation time to derive a hash, thus, making dictionary-based and brute force attacks more difficult.
This command has the following format:
set pbkdf2-iterations = <num>;
Where <num> is a value greater than 0. This value specifies the number of iterations when deriving a hash.
Default:
64000
When you decide to use the PBKDF2 hashing method for improved security, keep in mind the computation cost. The larger the number of iterations, the higher is the cost.
set salt-length Command
This command has the following format:
set salt-length = <num>;
Where <num> is a value from 8 through 65544 that is divisible by 8. This value (in bits) is the length of the salt (random data) included with the password.
Using this method makes it difficult to pregenerate a table of hashes for a given password value.
Default:
128
set pbkdf2-digest-length Command
This command has the following format:
set pbkdf2-digest-length = <num>;
Where <num> is a value from 8 through 65544 that is divisible by 8. This value (in bits) is the length of the hash generated.
Default:
128
These default values must be reviewed annually to take into account computational speed of machines increasing over time.