Hi, I am looking for information about the standard used by Openemr in the connection processes.
I would especially like to know:
Thanks
Amiel
@Amiel
Regarding the standard and method of password encryption in the database kindly check the following link.
Link:https://community.open-emr.org/t/security-updates-for-user-password-scheme/6256
Hope this may help you.
Thanks,
ViSolve-120
hi @Amiel ,
@stephenwaite pointed you to the most updated stuff. The link by @visolveemr is a bit dated. OpenEMR 6.0.0-dev supports either Bcrypt or Argon hashing, which is easy to customize. The hashing settings can be set differently for the authentication (both core and api auth) and token authentication. This is so, for example, can set the auth hash to take a second, but the token auth hash to be much faster (which also makes sense since tokens are short term anyways).
A token is also basically impossible to counterfeit or guess since it is encrypted and then confirmed by a hmac hash when decrypted and then the subsequent hash check adds more security. And since it incorporates a hash, can’t infer what a token is by what is stored in the database.
-brady
btw, here are the related globals settings for this, which start here:
https://www.open-emr.org/wiki/index.php/Administration_Globals#Debug_Hash_Verification_Time