--- title: PBKDF2-HMAC-SHA256 Password Storage Scheme description: The PBKDF2-HMAC-SHA256 Password Storage Scheme provides a mechanism for encoding user passwords using the PBKDF2-HMAC-SHA256 message digest algorithm. component: pingds version: 8.1 page_id: pingds:configref:objects-pbkdf2-hmac-sha256-password-storage-scheme canonical_url: https://docs.pingidentity.com/pingds/8.1/configref/objects-pbkdf2-hmac-sha256-password-storage-scheme.html section_ids: parent: Parent pbkdf2_hmac_sha256_password_storage_scheme_properties: PBKDF2-HMAC-SHA256 Password Storage Scheme properties basic_properties: Basic properties enabled: enabled pbkdf2-iterations: pbkdf2-iterations rehash-policy: rehash-policy advanced_properties: Advanced properties java-class: java-class remote-password-hashing-base-uri: remote-password-hashing-base-uri remote-password-hashing-connection-timeout: remote-password-hashing-connection-timeout remote-password-hashing-enabled: remote-password-hashing-enabled remote-password-hashing-max-connections: remote-password-hashing-max-connections remote-password-hashing-request-timeout: remote-password-hashing-request-timeout --- # PBKDF2-HMAC-SHA256 Password Storage Scheme The PBKDF2-HMAC-SHA256 Password Storage Scheme provides a mechanism for encoding user passwords using the PBKDF2-HMAC-SHA256 message digest algorithm. This scheme contains an implementation for the user password syntax, with a storage scheme name of "PBKDF2-HMAC-SHA256". ## Parent The PBKDF2-HMAC-SHA256 Password Storage Scheme object inherits from [PBKDF2 Password Storage Scheme](objects-pbkdf2-password-storage-scheme.html). ## PBKDF2-HMAC-SHA256 Password Storage Scheme properties You can use configuration expressions to set property values at startup time. For details, see [Property value substitution](expressions.html). | Basic Properties | Advanced Properties | | ------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [enabled](#enabled) [pbkdf2-iterations](#pbkdf2-iterations) [rehash-policy](#rehash-policy) | [java-class](#java-class) [remote-password-hashing-base-uri](#remote-password-hashing-base-uri) [remote-password-hashing-connection-timeout](#remote-password-hashing-connection-timeout) [remote-password-hashing-enabled](#remote-password-hashing-enabled) [remote-password-hashing-max-connections](#remote-password-hashing-max-connections) [remote-password-hashing-request-timeout](#remote-password-hashing-request-timeout) | ### Basic properties Use the `--advanced` option to access advanced properties. ### enabled | | | | ----------------------- | ----------------------------------------------------------------- | | *Synopsis* | Indicates whether the Password Storage Scheme is enabled for use. | | *Default value* | None | | *Allowed values* | truefalse | | *Multi-valued* | No | | *Required* | Yes | | *Admin action required* | None | | *Advanced* | No | | *Read-only* | No | ### pbkdf2-iterations | | | | ----------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | *Synopsis* | The number of algorithm iterations to make. | | *Description* | By default, changes to this setting impact only newly created and updated passwords. However, if the rehash-policy is set to always or only-increase, it causes the server to recalculate each user's password hash on their next authentication, and write the new hash to the user's entry on disk. Changing the number of iterations therefore leads to a short-term spike in CPU and disk use as the server updates each user's password when they next authenticate. Longer term, increasing this settings results in more secure passwords at the expense of longer response times and lower throughput. | | *Default value* | 10000 | | *Allowed values* | An integer.Lower limit: 1. | | *Multi-valued* | No | | *Required* | No | | *Admin action required* | None | | *Advanced* | No | | *Read-only* | No | ### rehash-policy | | | | ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | *Synopsis* | Indicates whether the server should rehash passwords after the cost has been changed. | | *Description* | Passwords will be rehashed when a user successfully authenticates. Note that rehashing will increase the write load on the server. | | *Default value* | never | | *Allowed values* | * never: Never rehash passwords when the cost changes. Only rehash passwords when the password is modified. * only-decrease: Only rehash passwords when the cost has been decreased (downgrade the security of the hashed password). * only-increase: Only rehash passwords when the cost has been increased (do not downgrade the security of the hashed password). | | *Multi-valued* | No | | *Required* | No | | *Admin action required* | None | | *Advanced* | No | | *Read-only* | No | ## Advanced properties Use the `--advanced` option to access advanced properties. ### java-class | | | | ----------------------- | --------------------------------------------------------------------------------------------------------------------------------- | | *Synopsis* | Specifies the fully-qualified name of the Java class that provides the PBKDF2-HMAC-SHA256 Password Storage Scheme implementation. | | *Default value* | org.opends.server.extensions.PBKDF2HmacSHA256PasswordStorageScheme | | *Allowed values* | A Java class that extends or implements:- org.opends.server.api.PasswordStorageScheme | | *Multi-valued* | No | | *Required* | Yes | | *Admin action required* | None | | *Advanced* | Yes | | *Read-only* | No | ### remote-password-hashing-base-uri | | | | ----------------------- | ----------------------------------------------------------------------- | | *Synopsis* | Specifies the base URI to connect to the password hashing microservice. | | *Default value* | None | | *Allowed values* | A string. | | *Multi-valued* | No | | *Required* | No | | *Admin action required* | None | | *Advanced* | Yes | | *Read-only* | No | ### remote-password-hashing-connection-timeout | | | | ----------------------- | ---------------------------------------------------------------------------------- | | *Synopsis* | Specifies the timeout to use when connecting to the password hashing microservice. | | *Default value* | 10 s | | *Allowed values* | Uses [duration syntax](duration-syntax.html).Lower limit: 0 seconds. | | *Multi-valued* | No | | *Required* | No | | *Admin action required* | None | | *Advanced* | Yes | | *Read-only* | No | ### remote-password-hashing-enabled | | | | ----------------------- | --------------------------------------------------------------------------- | | *Synopsis* | Specifies whether to delegate password hashing to a dedicated microservice. | | *Default value* | false | | *Allowed values* | truefalse | | *Multi-valued* | No | | *Required* | No | | *Admin action required* | None | | *Advanced* | Yes | | *Read-only* | No | ### remote-password-hashing-max-connections | | | | ----------------------- | --------------------------------------------------------------------------------- | | *Synopsis* | Specifies the maximum number of connections to the password hashing microservice. | | *Default value* | 64 | | *Allowed values* | An integer.Lower limit: 0. | | *Multi-valued* | No | | *Required* | No | | *Admin action required* | None | | *Advanced* | Yes | | *Read-only* | No | ### remote-password-hashing-request-timeout | | | | ----------------------- | ------------------------------------------------------------------------- | | *Synopsis* | Specifies the timeout for a request to the password hashing microservice. | | *Default value* | 10 s | | *Allowed values* | Uses [duration syntax](duration-syntax.html).Lower limit: 0 seconds. | | *Multi-valued* | No | | *Required* | No | | *Admin action required* | None | | *Advanced* | Yes | | *Read-only* | No |