# set password-storage Command

The set password-storage command lets you select a hashing method for passwords stored in the directory.

cad125

The

*command lets you select a hashing method for passwords stored in the directory.*set password-storage

This command has the following format:

set password-storage = ssha-512 | sha-512 | ssha-1 | sha-1 | pbkdf2 | crypt | scrypt | bcrypt | md5 | smd5 | none;

- ssha-512(Default) Hashes the password using the Salted SHA-512 algorithm.
- sha-512Hashes the password using the SHA-512 algorithm.
- ssha-1Hashes the password using the Salted SHA-1 algorithm. This algorithm produces a different hash even for the same clear text password, which is more secure.
- sha-1Hashes the password using the SHA-1 algorithm.
- pbkdf2Hashes the password using the PBKDF2 (Password-Based Key Derivation Function 2) method.
- cryptHashes the password using the UNIX crypt method.
- scryptHashes the password using the scrypt algorithm.
- bcryptHashes the password using the bcrypt method.
- md5Hashes the password using the Message Digest algorithm.
- smd5Hashes the password using the Salted Message Digest algorithm.
- nonePasswords are not hashed. This should only be used for testing.

Supporting Commands for the PBKDF2 Hashing Method

set pbkdf2-iterations Command

This command increases the computation time to derive a hash, thus, making dictionary-based and brute force attacks more difficult.

This command has the following format:

set pbkdf2-iterations = <num>;

Where <num> is a value greater than 0. This value specifies the number of iterations when deriving a hash.

**64000**

Default:

When you decide to use the PBKDF2 hashing method for improved security, keep in mind the computation cost. The larger the number of iterations, the higher is the cost.

set salt-length Command

This command has the following format:

set salt-length = <num>;

Where <num> is a value from 8 through 65544 that is divisible by 8. This value (in bits) is the length of the salt (random data) included with the password.

Using this method makes it difficult to pregenerate a table of hashes for a given password value.

**128**

Default:

set pbkdf2-digest-length Command

This command has the following format:

set pbkdf2-digest-length = <num>;

Where <num> is a value from 8 through 65544 that is divisible by 8. This value (in bits) is the length of the hash generated.

**128**

Default:

These default values must be reviewed annually to take into account computational speed of machines increasing over time.

Supporting Commands for the bcrypt and scrypt Hashing Mechanisms

When using bcrypt, the following optional settings can be set:

set salt-length Command

This command has the following format:

set salt-length = <number>

This command sets the size in number of bits of the salt to be used. This value must be a multiple of 8 and not greater than 65535.

**16**

Default:

set pbkdf-iterations Command

This command has the following format:

set pbkdf-iterations = <number>

This command sets the number of iterations to performed.

**64000**

Default:

When using scrypt, salt-length and pbkdf-iterations can also be set as mentioned earlier. However, use a lower pbkdf-iterations value such as 32 as the scrypt hashing method is a more CPU intensive. In addition to these two settings, scrypt also supports the variable digest length setting.

set pbkdf-digest-length Command

This command has the following format:

set pbkdf-digest-length = <number>

This command sets the size in number of bits of the digest (hash) to be derived.

**16**

Default: