Allow Hash Upgrade

Responder Web used the SHA1 hashing algorithm to generate password and security answer hashes in releases prior to 10.6.1. This algorithm has been superseded by more secure algorithms and is being phased out across the industry. To meet security requirements, the SHA1 algorithm has been replaced by PBKDF2 which is specifically designed for the hashing of passwords.

The first time a user attempts to log in to Responder Web after it has been upgraded to 10.6.1, they are required to go through the Password Reset process. Once the password is reset with the new algorithm, users can log in as usual.

Once the administrator has determined that enough users have upgraded to the new algorithm, they can turn off the reset process for users who have not yet upgraded. The administrator can reset passwords for these users.

To disable the reset process for users who have not reset their password after upgrading, edit the web.config and set AllowHashUpgrade to false. Once this temporary reset has been disabled, the system can take full advantage of the additional security provided with the PBKDF2 hashing algorithm.

QR code for this page

Was this helpful?