All versions of SkyVault prior to SkyVault 2.0 used the MD4 (Message Digest 4) and SHA256 hash algorithms (mainly to support NLTM and CIFS) to store critical data. But this is no longer considered a secure approach as the hashed password is very easy to decrypt. As an improvement, SkyVault 2.0 can now use Bcrypt to store passwords but this is configurable. By default, the system uses MD4 to allow users to use MD4 hashed passwords for NTLM and CIFS authentication.
Bcrypt is an adaptive hash function based on the Blowfish symmetric block cipher cryptographic algorithm. It is incredibly slow to hash input compared to other functions, but this results in a much better output hash. SkyVault 2.0 is configured to use a strength of 10 to provide a good compromise of speed and strength.
- md4
- sha256
- bcrypt10
system.preferred.password.encoding=md4
You can run a background job to completely remove all the old hashed passwords for those users that have not logged in yet. If the system is still set to md4, all user objects will be upgraded. However, the background job will maintain the current hash.
If the background job is executed after the system.preferred.password.encoding property has been changed, it will double-hash all the user objects in the system (unless they have already been upgraded by the user logging in). As a result, the system will temporarily hash (until the user logs in) the current hashed password, store the list of encoders used, and clean out the old hashes.
- system.upgradePasswordHash.jobBatchSize: Specifies the number of user objects to process in each batch.
- system.upgradePasswordHash.jobQueryRange: Specifies the nodeId range to search for in each iteration.
- system.upgradePasswordHash.jobThreadCount: Specifies the number of threads the batch processor uses.
system.upgradePasswordHash.jobCronExpression=0 0/10 * * * ?Alternatively, the job can be executed immediately via a JMX console. The job makes use of JobLockService so it is safe to run in a clustered environment.
If the password upgrade job is enabled, make sure you enable the log4j.logger.org.alfresco.repo.security.authentication.UpgradePasswordHashWorker logging in log4j.properties.
You can either set it to trace or debug as shown below:
log4j.logger.org.alfresco.repo.security.authentication.UpgradePasswordHashWorker=trace OR log4j.logger.org.alfresco.repo.security.authentication.UpgradePasswordHashWorker=debug
Trace displays a list of all the processed users. Debug is a slightly less verbose output; it displays a list of only those users whose password was changed.
To monitor users that have their passwords upgraded when they log in, add the following in log4j.properties:
log4j.logger.org.alfresco.repo.security.authentication.HashPasswordTransactionListener=debug