For local users, in version 8.3.0, PhixFlow's encryption method was upgraded to one-way encrypt:

• Security answers using normalized Bcrypt.
  
  • This changes all letters to lower case and removes spaces before encrytpting.
  • It does not use the pepper key, so security answers will work if the user account is imported to another instance.
• User passwords using a pepper key and Bcrypt.
  • This requires an exact string match for the password.

  • The pepper key is specific to the PhixFlow instance, and is stored in the keystore.

    Note
    You can export/import user accounts from one instance to another. However user passwords will not work in the new instance because the pepper key will be different. The user will need to have their password reset in the import instance.

    
    

After upgrading to 8.3.0, new or reset passwords and security answers automatically use the Bcrypt method.

Passwords and security answers that were created in older versions of PhixFlow were encrypted using the previous encryption method. These will continue to work because the configuration file phixflow-instance.xml has a list of all the encryption methods.

<bean id="passwordEncoder" class="com.accipia.centerview.util.security.ConfigurablePasswordEncoder">
  <property name="matchEncoders">
    <list>
      <ref bean="pepperedBcrypt" />
      <ref bean="legacyEncoder" />
      <ref bean="startupEncoder" />
    </list>
  </property>
  <property name="setterEncoder" ref="pepperedBcrypt" />
</bean>

To check a passoword or security answer, PhixFlow identifies which method has been used to encrypt it. It then uses the same method to encrypt the string supplied by the user. PhixFlow then compares the two encrypted versions and ensures these match.

How to Migrate Security Information

As Bcrypt is more secure, we recommend all security information is migrated to Bcrypt as soon as possible.

To do this, all users must change their passwords and their security answers.

Removing Old Encoders

You can update phixflow-instance.xml to remove old encoders when:

• At least one administration user can log into PhixFlow;.
  This means the startup user is no longer required.
• You installed a new version of PhixFlow version 8.3.0 or later.
  This means all passwords and security answers automatically use BCrypt encryption
• After upgrading to 8.3.0 or later, all users updated their passwords and security answers.
  This means all existing passwords and security answers have been migrated to use BCrypt encryption.

1.  In your PhixFlow installation directory,  go to webapp/WEB-INF/classes/ and edit phixflow-instance.xml
2. Find the bean: <bean id="passwordEncoder"
3. Delete the lines
   • <ref bean="legacyEncoder" /> to disable passwords or security answers that do not use BCrypt
   • <ref bean="startupEncoder" /> to disable the startup user account.
     
     

For passwords disabled by this process, users can reset their password; see Password Reset.

About the Pepper Key

The pepper key for your PhixFlow instance is created at installation or uprade to 8.3.0. If you are unfamiliar with the concept of a pepper key, see Wikipedia article on Pepper Encrytption.

Once it is set, all new or reset passwords have the pepper key added to them. The pepper key itself is stored in the keystore; see Adding Data to a Keystore. The pepper key alias is stored in phixflow-instance.xml.