<style>p { margin: 0 0 10px; }h1, h2, h3 { margin: 20px 0 10px; }h4, h5, h6 { margin: 10px 0 10px; }</style><p>The work factor is the amount of iterations of the hashing algorithm that are performed for each password.<br /> The higher the number the more computationally expensive the hash calculation becomes, which reduces the speed and/or increases the cost for would be attackers.<br /> The amount of iterations needs to strike a balance between performance and security. It is recommended that the amount be determined be how many hashes the server can perform in roughly 0.5 seconds.</p> <p>The minimum recommended by OWASP is <a href="https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2">600000</a></p> <p>This value should be increased over time as hardware becomes more powerful. If you have openssl available on the server you can run <code>openssl speed -hmac sha256 -bytes 16</code> to get an estimate of the amount of iterations performed in approximately 3 seconds. You can then use this information to adjust it for the work factor. Example - If openssl reports 10267414 ops in 2.81s then that is 3653883 ops per second. The work factor should therefore be set to half of that value (so that it takes 0.5 seconds) 1826941 ≈ 1800000.</p>

<style>p { margin: 0 0 10px; }h1, h2, h3 { margin: 20px 0 10px; }h4, h5, h6 { margin: 10px 0 10px; }</style><p>To adjust the work factor setting you will need to add a property to the authentication and application servers appsettings.json files. Found at <code>..\Halo\Auth\appsettings.json</code> and <code>..\Halo\Api\appsettings.json</code> a new property called <code>HashingIterations</code> needs to be added.</p> <p>For example:<br /> {<br /> <mark>&quot;HashingIterations&quot;: 600000</mark><br /> }</p> <p><em>A restart of the web site will be required after updating this setting</em></p>