Bcrypt hashing algorithm for Password property types
To provide extra protection against brute-force attacks, Pega Platform uses salted bcrypt as the default hashing algorithm for Password property types. Bcrypt uses a modified key setup algorithm that requires a long time to process. Key strengthening makes a password more secure against brute-force attacks, meaning potential attackers must spend a substantial amount of time testing every possible key.
Bcrypt is an adaptive hashing algorithm based on the Blowfish symmetric block cipher cryptographic algorithm.
Changing the encryption algorithm
For on-premises deployments, ensure that you are using the salted bcrypt algorithm by
removing all cryptographic‑related configuration settings from the
prconfig.xml
file:
- crypto/v5oneway
- crypto/v5onewahsha1
- crypto/v5portable
- crypto/onewayhashalgorithm
- crypto/updatehash
Convert preexisting password hashes to use the new algorithm by editing or creating the following Dynamic System Settings in Dev Studio:
Dynamic System Setting | Owning ruleset | Setting purpose | Value |
one way hash algorithm | Pega-Engine | prconfig/crypto/onewayhashalgorithm | bcrypt |
update hash | Pega-Engine | prconfig/crypto/updatehash | true |