Password Hashing for Standard Authentication

Beginning with MicroStrategy 10.11 a new hashing algorithm that provides much stronger security will be implemented. Associated with this new algorithm is a new field in Developer that allows the Administrator to select the number of iterations that a password is hashed. This provides even greater security on top of the algorithm by iteratively hashing the hash a configurable number of times. The previous option to select a hashing algorithm has been removed.

The new hashing algorithm was implemented in the product to conform with current industrial security best practices by following the guidance of NIST Special Publication 800-63B for the protection of memorized secrets. The following is an overview of the algorithm used for password hashing:

  • A 512-bit random value is generated for the password. This value is stored in the Metadata as it is required when verifying the password.

  • A password-based key definition function (i.e., PBKDF2) is executed which accepts three relevant parameters:
    • The previously generated random value (i.e., the salt).

    • A hashing function (in this case SHA-512).

    • The number of iterations to perform the PBKDF2 algorithm (set by the administrator as described below).

The PBKDF2 algorithm combines the user’s password and the random salt and then performs it’s operations by applying the specified hashing function (SHA-512) by the number of iterations specified. The result is then stored in the Metadata as the hash of the password.

For reference the OpenSSL PKCS5-PBKDF2-HMAC function is used to perform the PBKDF2/SHA-512 hashing.

For new installations with new metadata beginning with 10.11, the new algorithm and hashing process is automatically applied.

For existing deployments that are upgrading to 10.11, there are similarly no additional actions that need to be taken by the Administrator beyond optionally changing the default number of hash iterations. However, there are two important caveats associated with upgrading to 10.11:

  • If upgrading Intelligence Server and metadata, pre-10.11 installations of COM API clients must also be upgraded as they are not compatible.
  • Once the upgrade is undertaken, it is not possible to revert to an earlier version of metadata.

Once an installation has been upgraded to 10.11, the process of converting user password hashes from the old algorithm to the new algorithm will occur automatically, transparent to both users and Administrators. There is no need to ask users to enter new passwords. After the upgrade is performed, each user's password hash will be automatically updated on the next log in.

Changing the Default Number of Iterations

  1. Open Developer and right-click on a project source and select Configure Intelligence Server.

    If you are running MicroStrategy Developer on Windows for the first time, run it as an administrator.

    Right‑click the program icon and select Run as Administrator.

    This is necessary in order to properly set the Windows registry keys. For more information, see KB43491.

  2. Open Server Definition > Security.
  3. Set the number of hash iterations in the Encryption Level section.