PingDirectory

Encoded password caching

By default, the server can cache passwords encoded with PBKDF2, bcrypt, scrypt, or Argon2 to help improve authentication performance for passwords encoded with those schemes.

How encoded password caching works

The PingDirectory, PingDirectoryProxy, and PingDataSync servers support several computationally expensive password storage schemes. The encoded password cache can speed up repeated authentication attempts for users with these schemes, as follows:

  1. The first time that a user authenticates, the server verifies the provided plaintext password using the expensive storage scheme.

  2. The server then caches the encoded representation of the password in memory, along with an alternative salted SHA-256-encoded representation.

  3. For all following authentication attempts as the same user, if the server finds their encoded password in the cache, it can attempt to verify their provided plaintext password using the faster SHA-256 algorithm.

  4. The server automatically clears the cache whenever you change the configuration for the associated password storage scheme.

This cache can significantly reduce the performance impact of attempting to authenticate multiple connections as the same user in a short period of time, as could happen when a client creates a connection pool. This cost savings might be seen when the PingDirectoryProxy server makes its connections to the PingDirectory server because the Proxy User account has a PBKDF2-encoded password by default, as do the accounts for other root users and topology administrators.

Configuring the cache

The encoded password cache is enabled by default for expensive password storage schemes. The server maintains a separate cache with a default size of 10,000 passwords for each of these schemes.

You can change the size of the cache or disable it entirely by setting the value of the encoded-password-cache-size property for the applicable password storage schemes.

For example, the following command sets the cache size to 2000 passwords:

$ bin/dsconfig set-password-storage-scheme-prop \
    --scheme-name <password_storage_scheme_name> \
    --set encoded-password-cache-size:2000
To disable the cache for a given password storage scheme, set the value of encoded-password-cache-size to 0.

Security considerations

The following security considerations apply to encoded password caching:

  • The cache doesn’t hold the plaintext representations of passwords. All cached passwords are stored in both their original encodings and as a cryptographically secure SHA-256 digest generated from a combination of the provided password and a securely generated 128-bit salt.

  • The cache isn’t persisted. It’s only held in memory. Passwords that are persisted are encoded only with their configured storage schemes.

  • The cache only holds encoded passwords. It doesn’t include any other information that might be able to associate an encoded password with a user account.

  • The cache can’t become stale in any way that would affect the accuracy of authentication processing. For example, if a user changes their password, the cache won’t allow them to continue authenticating with a former password. It also won’t allow a user to continue authenticating after their account has become locked or disabled, or after their password has expired.