Security is a fundamental topic for today’s business solution systems. At 4D, we understand its importance; that’s why we keep delivering features that tackle this topic.
And with 4D v19 R3, 4D now uses a stronger hashing algorithm for user passwords. Let’s find out more!
Say hello to the bcrypt algorithm
Simply put, all passwords are now hashed with the bcrypt algorithm instead of the legacy one based on MD5. 4D already allowed you to use bcrypt for web login, as described in this blog post. That’s why we decided to use the same algorithm for 4D authentication. The goal is to improve your directory file security. A brute force computing on a strong password hashed with bcrypt takes tens of years to succeed!
How to implement it?
You don’t need to touch any setting or any line of code. When the password is changed in the toolbox or using the CHANGE PASSWORD or Set user properties commands, its bcrypt hash is stored instead of the former hash. And during authentication, 4D automatically recognizes if the password is stored with legacy or bcrypt hash so that users continue to connect without changing their passwords! So to take advantage of this new algorithm and improve the security, you just have to tell your users to change their passwords.
Important: Keep in mind that if you modify passwords with 4D v19R3 or later, coming back to previous versions will cause authentication denials. Be careful, especially with Designer and Administrator password modification. So don’t forget to backup (the 4DB file for binary databases or the directory.json file for projects) before moving to the new version!
Finally, remember that to improve security, you need to watch for data leaks and use unique and strong passwords.