All versions Alfresco Content Services 6.2 used the MD4 (Message Digest 4) and SHA256 hash algorithms (mainly to support NLTM) to store critical data. But this is no longer considered a secure approach as the hashed password is very easy to decrypt. You now have the option to configure Alfresco Content Services to use Bcrypt to store passwords. By default, the system uses MD4 to allow users to use MD4 hashed passwords for alfrescoNTLM authentication.
Bcrypt is an adaptive hash function based on the Blowfish symmetric block cipher cryptographic algorithm. It is incredibly slow to hash input compared to other functions, but this results in a much better output hash. Alfresco Content Services is configured to use a strength of 10 to provide a good compromise of speed and strength.
You can run a background job to completely remove all the old hashed passwords for those users that have not logged in yet. If the system is still set to md4, all user objects will be upgraded. However, the background job will maintain the current hash.
If the background job is executed after the system.preferred.password.encoding property has been changed, it will double-hash all the user objects in the system (unless they have already been upgraded by the user logging in). As a result, the system will temporarily hash (until the user logs in) the current hashed password, store the list of encoders used, and clean out the old hashes.
- system.upgradePasswordHash.jobBatchSize: Specifies the number of user objects to process in each batch.
- system.upgradePasswordHash.jobQueryRange: Specifies the nodeId range to search for in each iteration.
- system.upgradePasswordHash.jobThreadCount: Specifies the number of threads the batch processor uses.
system.upgradePasswordHash.jobCronExpression=0 0/10 * * * ?Alternatively, the job can be executed immediately via a JMX console. The job makes use of JobLockService so it is safe to run in a clustered environment.
If the password upgrade job is enabled, make sure you enable the log4j.logger.org.alfresco.repo.security.authentication.UpgradePasswordHashWorker logging in log4j.properties.
You can either set it to trace or debug as shown below:
log4j.logger.org.alfresco.repo.security.authentication.UpgradePasswordHashWorker=trace OR log4j.logger.org.alfresco.repo.security.authentication.UpgradePasswordHashWorker=debug
Trace displays a list of all the processed users. Debug is a slightly less verbose output; it displays a list of only those users whose password was changed.
To monitor users that have their passwords upgraded when they log in, add the following in log4j.properties: