Submit Feedback
Legacy Knowledge Base
Published Jul. 2, 2025

Defining Encryption Algorithms for Passwords Stored in the Database

Written By

Liferay Support

How To articles are not official guidelines or officially supported documentation. They are community-contributed content and may not always reflect the latest updates to Liferay DXP. We welcome your feedback to improve How To articles!

While we make every effort to ensure this Knowledge Base is accurate, it may not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with any feedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack" publication program, made available for informational purposes. Articles in this program were published without a requirement for independent editing or verification and are provided"as is" without guarantee.

Before using any information from this article, independently verify its suitability for your situation and project.

By default, Liferay encrypts the passwords that go into the database. The default algorithm is SHA-1 in 6.0 and 6.1 versions, which changed to PBKDF2WithHmacSHA1/160/128000 in version 6.2. The encryption algorithm can be changed and even turned off via the portal-ext.properties.

Because of this if you upgrade to 6.2 and you were using the default passwords encryption algorithm, you will need to set the legacy property to the old one.

Resolution

Liferay allows for our users to choose from a variety of encryption algorithms to suit their needs. The algorithms are selected with the passwords.encryption.algorithm= in the portal-ext.properties.

#
 # Set the following encryption algorithm to encrypt passwords. The default
 # algorithm is PBKDF2WithHmacSHA1/160/128000, generating 160 bit hashes
 # using 128,000 rounds.
 #
 # It is possible to decrease the rounds value in case of slow production
 # hardware, but be aware that 128,000 is the recommended value for 2014
 # by OWASP.
 #
 # If set to NONE, passwords are stored in the database as plain text.
 #
 #passwords.encryption.algorithm=BCRYPT/10
 #passwords.encryption.algorithm=MD2
 #passwords.encryption.algorithm=MD5
 #passwords.encryption.algorithm=NONE
 passwords.encryption.algorithm=PBKDF2WithHmacSHA1/160/128000
 #passwords.encryption.algorithm=SHA
 #passwords.encryption.algorithm=SHA-256
 #passwords.encryption.algorithm=SHA-384
 #passwords.encryption.algorithm=SSHA
 #passwords.encryption.algorithm=UFC-CRYPT

If this property is set to NONE, passwords are stored in the database as plain text.

In 6.1 and lower, the default encryption was set to SHA (SHA-1). This changed in 6.2 to PBKDF2WithHmacSHA1/160/128000 as seen above. Please be sure to use the following property when upgrading to 6.2 to ensure that your passwords are upgraded to the new encryption algorithm upon log in:

passwords.encryption.algorithm.legacy=SHA

 

The snippet from portal.properties file is:

#
 # Set the following encryption algorithm to designate the password
 # encryption algorithm to migrate from. This is only necessary if
 # upgrading from a release prior to 6.2 or if you wish to switch password
 # encryption algorithms when there are existing users with passwords in the
 # portal.
 #
 #passwords.encryption.algorithm.legacy=BCRYPT
 #passwords.encryption.algorithm.legacy=MD2
 #passwords.encryption.algorithm.legacy=MD5
 #passwords.encryption.algorithm.legacy=NONE
 #passwords.encryption.algorithm.legacy=SHA
 #passwords.encryption.algorithm.legacy=SHA-256
 #passwords.encryption.algorithm.legacy=SHA-384
 #passwords.encryption.algorithm.legacy=SSHA
 #passwords.encryption.algorithm.legacy=UFC-CRYPT

Additional Information

Please check out the full passwords properties available in portal.properties:

https://docs.liferay.com/portal/6.2/propertiesdoc/portal.properties.html#Passwords

Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?