|
| 1 | +# Securing a JDBC User Store with Hashing |
| 2 | + |
| 3 | +WSO2 Identity Server secures user credentials by hashing passwords before storing them in JDBC user stores. By default, WSO2 Identity Server uses the SHA-256 algorithm for JDBC user stores, while also supporting other methods such as MD5, PBKDF2, and BCRYPT. Among these, PBKDF2 and BCRYPT are the recommended modern algorithms offering built-in salting, configurable computational cost, and strong resistance against brute-force and pre-computed attacks making them ideal choices for securing user credentials in production environments. |
| 4 | + |
| 5 | +## Available Hashing Algorithms in WSO2 Identity Server |
| 6 | +WSO2 Identity Server provides several hashing algorithms for storing user passwords. These methods are configured by setting the **PasswordDigest** property in the user store configuration. While SHA-256 is the default for JDBC user stores, modern production environments should utilize PBKDF2 or BCRYPT due to their enhanced security features. |
| 7 | + |
| 8 | +The table below summarizes the available values for the PasswordDigest property: |
| 9 | + |
| 10 | +<table> |
| 11 | + <thead> |
| 12 | + <tr class="header"> |
| 13 | + <th>Password Hash Method</th> |
| 14 | + <th>Description</th> |
| 15 | + </tr> |
| 16 | + </thead> |
| 17 | + <tbody> |
| 18 | + <tr class="odd"> |
| 19 | + <td>SHA</td> |
| 20 | + <td> Uses SHA digest method (SHA-1 or SHA-256). If you enter only SHA for the PasswordDigest property, it is interpreted as SHA-1. Note that SHA-256 is the default digest method used by WSO2 IS for JDBC user stores if no value is explicitly configured.</td> |
| 21 | + </tr> |
| 22 | + <tr class = "odd"> |
| 23 | + <td>MD5</td> |
| 24 | + <td>Uses MD5 digest method</td> |
| 25 | + </tr> |
| 26 | + <tr class="even"> |
| 27 | + <td>PLAIN_TEXT</td> |
| 28 | + <td>Stores passwords in plain text</td> |
| 29 | + </tr> |
| 30 | + <tr class="even"> |
| 31 | + <td>PBKDF2</td> |
| 32 | + <td>A modern, NIST-recommended key derivation function that reduces brute-force attack risks.</td> |
| 33 | + </tr> |
| 34 | + <tr class="even"> |
| 35 | + <td>BCRYPT</td> |
| 36 | + <td>A modern password hashing function with built-in salting and adaptive cost factor.</td> |
| 37 | + </tr> |
| 38 | + </tbody> |
| 39 | + </table> |
| 40 | + |
| 41 | +## Configuring BCRYPT and PBKDF2 Password Hashing for JDBC User Stores |
| 42 | + |
| 43 | +This section guides you on how to configure BCRYPT and PBKDF2 hashing algorithms on primary and secondary JDBC user stores. |
| 44 | + |
| 45 | +### For primary JDBC user store |
| 46 | + |
| 47 | +!!! note |
| 48 | + PBKDF2 and BCRYPT are supported by [primary JDBC user stores](https://is.docs.wso2.com/en/7.0.0/guides/users/user-stores/primary-user-store/configure-a-jdbc-user-store/) but must be enabled in the deployment.toml file before initial server startup. |
| 49 | + |
| 50 | +1. Open the deployment.toml file located in the `<IS_HOME>/repository/conf` directory. |
| 51 | + |
| 52 | +2. Add the following configurations under the `[user_store.properties]` section. If the section does not exist, you can add it. |
| 53 | + |
| 54 | + |
| 55 | +**PBKDF2 Configuration** |
| 56 | + |
| 57 | + ```bash |
| 58 | + [user_store.properties] |
| 59 | + PasswordDigest = "PBKDF2" |
| 60 | + "Hash.Algorithm.Properties" = "{pbkdf2.iteration.count:10000, pbkdf2.dkLength:256, pbkdf2.prf:PBKDF2WithHmacSHA256}" |
| 61 | + ``` |
| 62 | + |
| 63 | +**BCRYPT Configuration** |
| 64 | + |
| 65 | + ```bash |
| 66 | + [user_store.properties] |
| 67 | + PasswordDigest = "BCRYPT" |
| 68 | + StoreSaltedPassword = "false" |
| 69 | + "Hash.Algorithm.Properties" = "{bcrypt.version:2a,bcrypt.cost.factor:10}" |
| 70 | + ``` |
| 71 | + |
| 72 | +### For secondary JDBC user store |
| 73 | + |
| 74 | +To configure PBKDF2 or BCRYPT in secondary JDBC user store: |
| 75 | + |
| 76 | +1. Login to the Identity Server management console (`https://<IS_HOST>:<PORT>/console`) and [create a JDBC user store]({{base_path}}/guides/users/user-stores/configure-secondary-user-stores). |
| 77 | + |
| 78 | + !!! Note "Existing user stores" |
| 79 | + - You may also use an existing user store which does not have any users in it. If you already have users in the user store, once the hashing algorithm is configured these users will not be able to get authenticated. |
| 80 | + - Such cases will impact with bad user experience as the users will not get authenticated even when they try to login using the correct credentials. Admins may use the following approaches to reset the user passwords after configuring the PBKDF2 hashing algorithm on an existing user store: |
| 81 | + - Ask users to [reset their own passwords]({{base_path}}/guides/user-self-service/customer-self-service-portal). |
| 82 | + - Trigger password reset for all accounts of the user store using [admin initiated password reset]({{base_path}}/guides/users/manage-users#reset-the-users-password). |
| 83 | + |
| 84 | +2. Navigate to **User Attributes & Stores** > **User Stores**, select the secondary JDBC user store you have created. |
| 85 | +3. Navigate to the **User** tab of the user store and expand the **Show more** section. |
| 86 | +4. Edit the following properties with the values given: |
| 87 | + <table> |
| 88 | + <tr> |
| 89 | + <th>Property</th> |
| 90 | + <th>PBKDF2 Value</th> |
| 91 | + <th>BCRYPT Value</th> |
| 92 | + <th>Description</th> |
| 93 | + </tr> |
| 94 | + <tr> |
| 95 | + <td>Password Hashing Algorithm</td> |
| 96 | + <td><code>PBKDF2</code></td> |
| 97 | + <td><code>BCRYPT</code></td> |
| 98 | + <td>Name of the hashing algorithm supported by the user store.</td> |
| 99 | + </tr> |
| 100 | + <tr> |
| 101 | + <td>Enable Salted Passwords</td> |
| 102 | + <td><code>N/A</code></td> |
| 103 | + <td><code>false</code></td> |
| 104 | + <td>When set to true (which is the default and recommended value for JDBC user stores), WSO2 ensures that a unique, random salt is generated and stored along with the hashed password for every user.</td> |
| 105 | + </tr> |
| 106 | + <tr> |
| 107 | + <td>User Store Hashing Configurations</td> |
| 108 | + <td><code>{pbkdf2.iteration.count:10000, pbkdf2.dkLength:256, pbkdf2.prf:PBKDF2WithHmacSHA256} </code></td> |
| 109 | + <td><code>{bcrypt.version:2b,bcrypt.cost.factor:12}</code></td> |
| 110 | + <td>Additional parameters required for password hashing algorithm. This should be given in JSON format. Learn more about these configurations in [PBKDF2](#pbkdf2-parameters) and [BCRYPT](#bcrypt-parameters).</td> |
| 111 | + </tr> |
| 112 | + </table> |
| 113 | + |
| 114 | +5. Click **Update** to save the configurations. |
| 115 | + |
| 116 | +### PBKDF2 Parameters |
| 117 | + |
| 118 | +When configuring the PBKDF2 hashing algorithm the following parameters must be specified in the configurations: |
| 119 | + |
| 120 | +<table> |
| 121 | + <tr> |
| 122 | + <th>Parameter</th> |
| 123 | + <th>Parameter name</th> |
| 124 | + <th>Recommended Value</th> |
| 125 | + <th>Description</th> |
| 126 | + </tr> |
| 127 | + <tr> |
| 128 | + <td><code>pbkdf2.iteration.count</code></td> |
| 129 | + <td>Iteration count</td> |
| 130 | + <td><code>10000</code></td> |
| 131 | + <td>Number of times hashing is performed.</td> |
| 132 | + </tr> |
| 133 | + <tr> |
| 134 | + <td><code>pbkdf2.dkLength</code></td> |
| 135 | + <td>Derived Key Length</td> |
| 136 | + <td><code>256</code></td> |
| 137 | + <td>Bit length of the generated hash value.</td> |
| 138 | + </tr> |
| 139 | + <tr> |
| 140 | + <td><code>pbkdf2.prf</code></td> |
| 141 | + <td>Pseudo-Random Function </td> |
| 142 | + <td><code>PBKDF2WithHmacSHA256</code></td> |
| 143 | + <td>The key component of the PBKDF2 hashing algorithm in which the actual hashing part is done.</td> |
| 144 | + </tr> |
| 145 | +</table> |
| 146 | + |
| 147 | +!!! Note |
| 148 | + NIST recommends `PBKDF2WithHmacSHA256` as the pseudo-random function (prf) value, but the prf can also be changed. Some examples of possible prf values are as follows: |
| 149 | + |
| 150 | + - `PBKDF2WithHmacSHA512` |
| 151 | + - `PBKDF2WithHmacSHA256` |
| 152 | + - `PBKDF2WithHmacSHA1` |
| 153 | + |
| 154 | +### BCRYPT Parameters |
| 155 | + |
| 156 | +When configuring the BCRYPT hashing algorithm the following parameters must be specified in the configurations: |
| 157 | + |
| 158 | + <table> |
| 159 | + <thead> |
| 160 | + <tr class="header"> |
| 161 | + <th >Parameter Name</th> |
| 162 | + <th>Description</th> |
| 163 | + <th>Default Value</th> |
| 164 | + <th>Possible Values</th> |
| 165 | + </tr> |
| 166 | + </thead> |
| 167 | + <tbody> |
| 168 | + <tr class="odd"> |
| 169 | + <td><code>bcrypt.version</code></td> |
| 170 | + <td>Version of the BCRYPT algorithm</td> |
| 171 | + <td><code>2b</code></td> |
| 172 | + <td><code>2a</code> <code>2b</code> <code>2y</code></td> |
| 173 | + </tr> |
| 174 | + <tr class="even"> |
| 175 | + <td><code>bcrypt.cost.factor</code></td> |
| 176 | + <td>Cost factor of the BCRYPT algorithm</td> |
| 177 | + <td><code>12</code></td> |
| 178 | + <td><code>4 - 31</code></td> |
| 179 | + </tr> |
| 180 | + </tbody> |
| 181 | +</table> |
0 commit comments