Using the bcrypt hashing algorithm for Password property types
Bcrypt is an adaptive hashing algorithm that is based on the Blowfish symmetric block cipher cryptographic algorithm. Bcrypt uses a modified key setup algorithm that requires a long time to process. Key strengthening makes a password more secure against brute-force attacks, because an attacker must spend a substantial amount of time testing each possible key.
Beginning with version 7.2.2, the Pega 7 Platform uses salted bcrypt as the default hashing algorithm for Password property types.
Changing the encryption algorithm
For on-premises deployments, to be certain that the salted bcrypt algorithm is used, remove all cryptographic-related configuration settings from the file:
- crypto/v5oneway
- crypto/v5onewahsha1
- crypto/v5portable
- crypto/onewayhashalgorithm
- crypto/updatehash
Convert preexisting password hashes to use the new algorithm by editing or creating the following Dynamic System Settings in Designer Studio.
| Dynamic System Setting | Owning ruleset | Setting purpose | Value |
|---|---|---|---|
| one way hash algorithm | Pega-Engine | prconfig/crypto/onewayhashalgorithm | bcrypt |
| update hash | Pega-Engine | prconfig/crypto/updatehash | true |
For more information about configuring Dynamic System Settings, see Adding a Dynamic System Settings.