Password hashing does a one-way, permanent transformation of the passwords of the Control Room users, inline with standard password management practices.
Control Room passwords are concatenated with a salt and then hashed using the PBKDF2WithHmacSHA512 algorithm before being stored in the database.
- The salt is 256 bits in size and is randomly generated by a cryptographically secure PRNG.
- The HMAC SHA512 algorithm is used for hashing and provides additional security over
- A keyed hash provides protection against hash length extension attacks.
- SHA 512 bit key is larger than the commonly used SHA 256 bit key.
- The key used for the HMAC is from the secure Password-Based Key Derivation Function (PBKDF2).
- Hashing is done for 100,000 rounds (based on NIST recommendations).
Every time a Bot Creator or Bot Runner authenticates against Control Room, its credentials are authenticated against the hashed credentials.