OpenWGA 7.0 - Updating to OpenWGA 7.0

Updating from OpenWGA 6.0 » Tasks after the update

Use new password hashing algorithm

At some occasions OpenWGA will store passwords in hash form. This is an unidirectional storage form which cannot be reversed, i.e. the password cannot be recovered from the hash. But it is possible to compare user-entered passwords to it just by hashing the user input and comparing it to the stored hash.

The occasions are:

Storage of OpenWGA administrator passwords
Storage of passwords via <tml:input type="hashedpassword"/>, like is necessary for documents of an authentication content store

Up until version 6.0 OpenWGA used the SHA-1-Algorithm to create those hashes. Today this algorithm is regarded weak as it does not provide enough protection against brute force/dictionary/rainbow table attacks in the case that the hashes are stolen.

OpenWGA 7.0 introduces a new hashing algorithm based on bcrypt. This algoritthm uses dynamic salts and an is "adaptive", meaning that the performance cost to create a hash can be increased over time. By that it provides good protection against the contemporary types of password attacks. We currently use an iteration cost of 10 performing 2^10 hashing iterations.

While new OpenWGA installations will use this algorithm by default existing installations updating to 6.1 will keep the old SHA-1 algorithm . This is so they still create compatible passwords for older OpenWGA versions, in case other OpenWGA installations are reading the same data.

If this restriction does not apply to you and you want to use the new bcrypt algorithm for your updated installation you can enabled it like this:

OpenWGA Admin Client, Menu "Configuration" > "Basic Settings"
Click the "Edit" button
A new setting labeled "Storage of passwords: Uni-Directional" should have been added to section "Other settings"
Change the value of the setting to "BCrypt 10 Hashing"
Click the "Save" button

From now on newly determined password will be stored in the bcrypt algorithm.

Old passwords that were stored using SHA-1 will still be usable. They however cannot be migrated automatically to the new format because the original passwords cannot be restored. In order to be stored in the new format they will have to be determined again.

New image scaler bundled and default »

« Review ACL levels for "chief editors"