From Loyalty version 5.0.18, Loyalty uses the Argon2 algorithm to hash user passwords, changing from PBKDF2. Passwords are automatically migrated to the new algorithm as users sign in. Enable the Hash Loyalty User Passwords scheduled task to migrate passwords for users who haven’t signed in yet, and ensure all passwords are hashed with the new algorithm.
User passwords are hashed to protect data so that in the unlikely event that a customer’s Loyalty database is compromised, it is significantly more difficult for an unauthorised party to use the data. The PBKDF2 algorithm was suitable for earlier requirements, but the new one provides better security now.
Running this task ensures that all passwords are hashed with the newer, more secure algorithm and are not vulnerable, even if the user may not log in for some time or their account is abandoned. The task searches for users which are still using the old hash algorithm, loading a batch of them, migrating to the new algorithm in parallel and then updating the stored password hash.
The user’s password is not revealed during this process, but the task puts their original hash created from the password itself through the new algorithm, ensuring that the saved password is protected at the level of the new algorithm. When the member next logs in successfully, their password hash will be updated to use only the new hash.
Important: Running this task will cause high CPU usage. Before enabling it, you should consider when to run it, and the resources available to the instance running the task.
Steps
These steps are applicable to Vista Classic (on-premises) systems only. Vista Cloud customers on the equivalent release should contact Vista Support to enable this task.
- In Task Scheduler, go to General Tasks > Add/Remove task.
- Enable the Hash Loyalty User Passwords scheduled task.
- Set parameters to control the behaviour of the task (see below).
- Save and set the task to run.
After you finish
- The task will run each day for the time limit specified until all passwords are migrated to the new hash algorithm.
- When the task identifies that there are no users with the old hash algorithm remaining, it will automatically disable itself.
Parameters
| Option | Values | Description |
|---|---|---|
| BatchSize | Default: 1000 |
The number of passwords to hash per batch. Each batch processes the passwords in parallel. |
| MaxConcurrencyDegree | Default: Not set |
The number of parallel operations to perform. If not set, the system will automatically decide. |
| TimeLimitInMinutes | Default: 60 | The maximum number of minutes the task will run for. The task will continue to process batches until this limit is met. |
Comments
0 comments
Please sign in to leave a comment.