[discrete] [[hashing-settings]] ==== User cache and password hash algorithms Certain realms store user credentials in memory. To limit exposure to credential theft and mitigate credential compromise, the cache only stores a hashed version of the user credentials in memory. By default, the user cache is hashed with a salted `sha-256` hash algorithm. You can use a different hashing algorithm by setting the `cache.hash_algo` realm settings to any of the following values: [[cache-hash-algo]] .Cache hash algorithms |======================= | Algorithm | | | Description | `ssha256` | | | Uses a salted `sha-256` algorithm (default). | `md5` | | | Uses `MD5` algorithm. | `sha1` | | | Uses `SHA1` algorithm. | `bcrypt` | | | Uses `bcrypt` algorithm with salt generated in 1024 rounds. | `bcrypt4` | | | Uses `bcrypt` algorithm with salt generated in 16 rounds. | `bcrypt5` | | | Uses `bcrypt` algorithm with salt generated in 32 rounds. | `bcrypt6` | | | Uses `bcrypt` algorithm with salt generated in 64 rounds. | `bcrypt7` | | | Uses `bcrypt` algorithm with salt generated in 128 rounds. | `bcrypt8` | | | Uses `bcrypt` algorithm with salt generated in 256 rounds. | `bcrypt9` | | | Uses `bcrypt` algorithm with salt generated in 512 rounds. | `pbkdf2` | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a pseudorandom function using 10000 iterations. | `pbkdf2_1000` | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a pseudorandom function using 1000 iterations. | `pbkdf2_10000` | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a pseudorandom function using 10000 iterations. | `pbkdf2_50000` | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a pseudorandom function using 50000 iterations. | `pbkdf2_100000` | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a pseudorandom function using 100000 iterations. | `pbkdf2_500000` | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a pseudorandom function using 500000 iterations. | `pbkdf2_1000000` | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a pseudorandom function using 1000000 iterations. | `noop`,`clear_text` | | | Doesn't hash the credentials and keeps it in clear text in memory. CAUTION: keeping clear text is considered insecure and can be compromised at the OS level (for example through memory dumps and using `ptrace`). |======================= Likewise, realms that store passwords hash them using cryptographically strong and password-specific salt values. You can configure the algorithm for password hashing by setting the `xpack.security.authc.password_hashing.algorithm` setting to one of the following: [[password-hashing-algorithms]] .Password hashing algorithms |======================= | Algorithm | | | Description | `bcrypt` | | | Uses `bcrypt` algorithm with salt generated in 1024 rounds. (default) | `bcrypt4` | | | Uses `bcrypt` algorithm with salt generated in 16 rounds. | `bcrypt5` | | | Uses `bcrypt` algorithm with salt generated in 32 rounds. | `bcrypt6` | | | Uses `bcrypt` algorithm with salt generated in 64 rounds. | `bcrypt7` | | | Uses `bcrypt` algorithm with salt generated in 128 rounds. | `bcrypt8` | | | Uses `bcrypt` algorithm with salt generated in 256 rounds. | `bcrypt9` | | | Uses `bcrypt` algorithm with salt generated in 512 rounds. | `bcrypt10` | | | Uses `bcrypt` algorithm with salt generated in 1024 rounds. | `bcrypt11` | | | Uses `bcrypt` algorithm with salt generated in 2048 rounds. | `bcrypt12` | | | Uses `bcrypt` algorithm with salt generated in 4096 rounds. | `bcrypt13` | | | Uses `bcrypt` algorithm with salt generated in 8192 rounds. | `bcrypt14` | | | Uses `bcrypt` algorithm with salt generated in 16384 rounds. | `pbkdf2` | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a pseudorandom function using 10000 iterations. | `pbkdf2_1000` | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a pseudorandom function using 1000 iterations. | `pbkdf2_10000` | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a pseudorandom function using 10000 iterations. | `pbkdf2_50000` | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a pseudorandom function using 50000 iterations. | `pbkdf2_100000` | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a pseudorandom function using 100000 iterations. | `pbkdf2_500000` | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a pseudorandom function using 500000 iterations. | `pbkdf2_1000000` | | | Uses `PBKDF2` key derivation function with `HMAC-SHA512` as a pseudorandom function using 1000000 iterations. |=======================