Oracle ATG Web Commerce - Password Hashing

Password Hashing

For security reasons, you should always store passwords in hashed form. That way if a hacker gains unauthorized access to your database, he or she will not be able to retrieve the actual passwords of your users. Hashing performs a one-way transformation of the password, encrypting it in a way that makes it virtually impossible to reconstruct the original password.

When a user attempts to log in, the supplied password is hashed and compared with the hashed value stored in the database. If the two values match, the login is successful.

There are several mathematically complex hashing algorithms available. Although they all perform one-way encryption, stronger algorithms are ones that produce hashes that are more difficult to reproduce through trial and error. The goal is to use an algorithm of sufficient complexity, so that attempts to reproduce its results require enormous computation time.

The ATG platform implements hashing using the java.security.MessageDigest mechanism. The hashing algorithm is specified through the passwordHasher property of the /atg/userprofiling/PropertyManager component. The value of this property is a component of a class that implements the atg.security.PasswordHasher interface. By default, passwordHasher is set to /atg/dynamo/security/SaltedDigestPasswordHasher, which is of class atg.security.SaltedDigestPasswordHasher.

SaltedDigestPasswordHasher digests the password using the SHA-256 algorithm with a random salt, and iteratively rehashes the result. The hash is then converted to a String using base 16 encoding. This combination of random salting, a strong hashing algorithm, and rehashing makes for very strong encryption.

As an alternative, the ATG platform includes the /atg/dynamo/security/DigestPasswordHasher component, which is of class atg.security.DigestPasswordHasher. This hasher was used by default prior to ATG10.2. It is less secure than SaltedDigestPasswordHasher, but is provided for compatibility with older releases. This hasher digests the password using the MD5 algorithm and then encodes the result using base 16 encoding. You can revert to using this hasher by including the md5 configuration layer when you assemble your application. This configuration layer also restores password strength rules for internal accounts to the less strict settings used prior to ATG10.2.

To enable the md5 configuration layer, include the following flag to the runAssembler command when you assemble your application:

-layer md5

You can disable hashing entirely by setting the passwordHasher property of the /atg/userprofiling/PropertyManager component to /atg/dynamo/security/NullPasswordHasher. All passwords will be stored and compared in clear text. Note that this practice is strongly discouraged.

Copyright © 1997, 2013 Oracle and/or its affiliates. All rights reserved. Legal Notices