52.3.1Password Hashing Algorithms

 

When storing credentials such as passwords and client secrets in local/database storage, Smile CDR uses a configurable secure hashing algorithm. Each password is individually salted and then hashed in order to defend against brute force cracking attempts, should an attacker gain access to the database.

Because the algorithm used is stored along with the hash, the hashing algorithm may be modified over time without invalidating existing passwords. In other words, if the hashing algorithm is changed, any passwords that are set in the future will use the new algorithm, but any passwords created in the past will continue to use the previous hashing algorithm.

Algorithms can be set for the following properties:

52.3.2Available Algorithms

 

The following table shows the currently available hashing algorithms. The speeds show the average time taken to hash a single password on a server with average hardware (a 2.7 GHz Intel Core i7 was used for these values).

Care should be taken when selecting an appropriate level of security. If it takes 1000ms to hash a single password, this means that brute-force cracking of the password is exceedingly difficult but it also means that each user login will take a full second of processing time before it can proceed.

Name Description Speed
SHA256_1000_ROUND SHA2-256 with 1,000 rounds 4ms/password over 10 passes
SHA256_10000_ROUND SHA2-256 with 10,000 rounds 44ms/password over 10 passes
SHA256_100000_ROUND SHA2-256 with 100,000 rounds 223ms/password over 10 passes
PBKDF2_256_1000_RND PBKDF2-256 with 1,000 rounds 14ms/password over 10 passes
PBKDF2_256_10000_RND PBKDF2-256 with 10,000 rounds 34ms/password over 10 passes
PBKDF2_256_100000_RND PBKDF2-256 with 100,000 rounds 189ms/password over 10 passes
BCRYPT_10_ROUND BCrypt with 10 rounds 73ms/password over 10 passes
BCRYPT_12_ROUND BCrypt with 12 rounds 238ms/password over 10 passes
BCRYPT_14_ROUND BCrypt with 14 rounds 925ms/password over 10 passes
BCRYPT_16_ROUND BCrypt with 16 rounds 3796ms/password over 10 passes