6.1.3. Password hashes#
Understanding password hashing helps you secure user accounts and comply with security policies. This page explains how Nubus for UCS hashes passwords and how to configure stronger hashing algorithms.
By default, Nubus for UCS uses SHA-512, which is secure for most environments. If your security requirements are higher, you can enable bcrypt hashing for additional protection.
6.1.3.1. Default hashing method#
The directory service stores user password hashes in the userPassword attribute.
The crypt library function hashes passwords.
You can configure the hashing method using the UCR variable
password/hashing/method.
The default value is SHA-512.
6.1.3.2. bcrypt hashing method#
As an alternative, Nubus for UCS offers bcrypt as a hashing method for user account passwords. To activate bcrypt, you must complete the following steps. If you don’t complete these steps, you can’t authenticate using a bcrypt password hash.
Set the UCR variable
ldap/pw-bcrypttotrueon all LDAP servers.Set the UCR variable
password/hashing/bcrypttotrueon all LDAP servers to activate bcrypt as the hashing method for setting or changing user passwords.
Caution
bcrypt limits password length to a maximum of 72 characters.
6.1.3.3. bcrypt settings#
Configure the bcrypt hashing settings to tune the security-performance balance. These settings apply only to newly created password hashes. Existing hashes retain their original algorithm and settings.
password/hashing/bcrypt/cost_factorSets the bcrypt cost factor and increases security by slowing down hashing. Default:
12.password/hashing/bcrypt/prefixSets the bcrypt variant. Default:
2b.