Questions about password hashing methods

SonarQube Version:9.4

In “FIPS.180-2”, “PBKDF2” was included, but not in the latest “FIPS.180-4”.
I would like to confirm that “PBKDF2” is compliant with the latest “FIPS.180-4”.
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf

The “hash_method” in the document shows that “PBKDF2” is used as the hashing method.
https://docs.sonarqube.org/9.4/instance-administration/security/

I have two questions.

1.Is it possible to change the hash method?
※For example, Bcrypt, Argon2, etc.

2.If it cannot be changed in 1, which is the hash function for PBKDF2? (SHA-256, SHA-384, SHA-512)

Hi,

  1. it’s not possible to change the hash method.
  2. Hash function is SHA-512 with 100.000 iterations. Details here: [SONAR-14582] - Jira
  • Thank you.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.