Password Hashing Algorithms
When storing credentials such as passwords and client secrets in local/database storage, Smile CDR uses a configurable secure hashing algorithm. Each password is individually salted and then hashed in order to defend against brute force cracking attempts, should an attacker gain access to the database.
Because the algorithm used is stored along with the hash, the hashing algorithm may be modified over time without invalidating existing passwords. In other words, if the hashing algorithm is changed, any passwords that are set in the future will use the new algorithm, but any passwords created in the past will continue to use the previous hashing algorithm.
Algorithms can be set for the following properties:
The following table shows the currently available hashing algorithms. The speeds show the average time taken to hash a single password on a server with average hardware (a 2.7 GHz Intel Core i7 was used for these values).
Care should be taken when selecting an appropriate level of security. If it takes 1000ms to hash a single password, this means that brute-force cracking of the password is exceedingly difficult but it also means that each user login will take a full second of processing time before it can proceed.
|SHA256_1000_ROUND||SHA2-256 with 1,000 rounds||4ms/password over 10 passes|
|SHA256_10000_ROUND||SHA2-256 with 10,000 rounds||44ms/password over 10 passes|
|SHA256_100000_ROUND||SHA2-256 with 100,000 rounds||223ms/password over 10 passes|
|PBKDF2_256_1000_RND||PBKDF2-256 with 1,000 rounds||14ms/password over 10 passes|
|PBKDF2_256_10000_RND||PBKDF2-256 with 10,000 rounds||34ms/password over 10 passes|
|PBKDF2_256_100000_RND||PBKDF2-256 with 100,000 rounds||189ms/password over 10 passes|
|BCRYPT_10_ROUND||BCrypt with 10 rounds||73ms/password over 10 passes|
|BCRYPT_12_ROUND||BCrypt with 12 rounds||238ms/password over 10 passes|
|BCRYPT_14_ROUND||BCrypt with 14 rounds||925ms/password over 10 passes|
|BCRYPT_16_ROUND||BCrypt with 16 rounds||3796ms/password over 10 passes|