HP mt20 Administrator Guide 1 - Page 63

Encryption Active Directory credentials and other secrets can be hashed for functions like screen-unlock and/or encrypted and stored on the system for single sign-on. The hash algorithm for creating a password's hash can be selected from this menu. The default, scrypt, is a well-accepted key derivation function. Argon2, another key derivation function is also available, as well as conventional hashes SHA-256 and SHA-512. The advantage of a key derivation function is that it is computationally expensive to compute a rainbow table that matches plain-text passwords to precomputed hash values, whereas conventional hashes are meant to execute as fast as possible. All hashes are stored with 128 or more bits of random salt which changes each time the password hash is computed and stored. Encrypted passwords are used in situations where they can be reversed and supplied to connections when they start (single sign-on). The encryption algorithm can be selected here from a wide variety supported by OpenSSL. Unless there is a good reason to select a different value, HP recommends using the default encryption algorithm, which is generally regarded as a modern, secure algorithm by the security community. The number of salt bits and key bits will vary from one algorithm to another and you can get details by pressing the info button next to the algorithm selector. Encryption keys are unique per thin client and are stored in a place that only administrators can read. Furthermore, only certain authorized applications on the system can do decryption. Both hashes and encrypted secrets can be set with a time-to-live. If the amount of time between when the secret was hashed or encrypted and the time when it is used or decrypted exceeds the time-to-live, the hashmatch or decryption will fail. Options Local user must log in: If this option is selected when Active Directory authentication is disabled, the login screen still appears at startup and logout. In this situation, the local user or root credentials must be used to gain access to the system. Enable secret peek: If enabled, most password and secret entry fields on the system display a small eyeball icon on the right side. When that eyeball icon is selected by pressing and holding down the left mouse button, the secret is displayed in plain text as long as the mouse button is held down. As soon as the button is released, the secret is again obscured. Use domain text entry: If enabled, a separate Domain input field is provided for the domain name where applicable. If disabled, the domain is determined by the value entered in the User field instead. For instance, if the User field contains "mike@mycorp", the domain is assumed to be "mycorp". If the user field is "graycorp \mary", the domain is assumed to be "graycorp". Allow administrators to override screen lock: If enabled, you can override a locked screen and return it to the login screen or ThinPro desktop, just as if the user had manually logged out of the thin client. Customization Center To open Customization Center: ▲ Select Setup > Customization Center in Control Panel. The button at the top of the Desktop page can be used to switch between the ThinPro and Smart Zero configurations. See Choosing an OS configuration on page 2 for more information about the differences between the two configurations. Setup 51