...
- Workfactor
Datatype: Integer, minimum 16000.
Minimum 16000.
Default: 64000.
The workfactor is used to specify how expensive it would be to perform an exhaustive search (i.e. brute force). In general the higher the better, however increasing the number will also slow down the key generation. Therefore the ideal number would depend on other factors like password policies, hardware and general use case. It would be recommended to increase this number on a regular basis to accommodate for the ever increasing power of brute force hardware. For example schedule an increase by 16000 each year.
- Pepper
Datatype: Base64 encoded byte array.
Default not set.
The pepper defines a secret application-wide random byte array that is used to initialize the underlying HMAC before hashing. This ensures that an attacker has no way of actually cracking the password hashes without compromising the pepper value also. Using a pepper strategy is very powerful if done right, however it requires and demands a strong policy for storing and securing the pepper data.
* The pepper should never be stored in the same physical storage as the hash values.
* If the pepper storage is lost, all passwords are by definition invalid!
* If you start using pepper, you cannot revert back to a non-pepper strategy.
...
This example shows how to setup a system using a workfactor of 80000 and a custom 32 byte pepper of 32 bytes:
| Code Block | ||
|---|---|---|
| ||
<configuration>
<configSections>
<section name="passwordHashing" type="Digieyez.Digizuite.DigiZuiteLogic.PasswordHandling.Configuration.PasswordHashingSection" />
</configSections>
<connectionStrings />
<passwordHashing workfactor="80000" pepper="hOHdlAaF3xZA4uON5hMuNiBeV5kfudE1w1szOLJ/Mjk=" />
</configuration> |
...