brooklyn-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Richard Downer <rich...@apache.org>
Subject BROOKLYN-15: web-console authentication: store hashed passwords in brooklyn.properties
Date Tue, 01 Jul 2014 09:49:16 GMT
Aled recently opened this Jira:
https://issues.apache.org/jira/browse/BROOKLYN-15

While I agree with Aled's reason for opening a ticket for this
feature, I think that the suggested way of doing it has weak security.

The Jira ticket's suggestion is to generate a hash like this:
    echo -n aled:mypassword | shasum -a 256

and then add it to brooklyn.properties:
    brooklyn.webconsole.security.user.aled.sha256=0dfecb1...

The problem is that the hash is unsalted. The "aled:" prefix is weak,
because by inspecting brooklyn.properties I can deduce that the SHA256
string will begin with "aled:" and generate rainbow tables using that
prefix.

I appreciate the intention to do something appropriate, fast, and then
build in a more sophisticated system later; however I believe that
unsalted hashes will not pass muster with a security audit, and once
it has been added to Brooklyn, it will be troublesome to remove for
fear of breaking existing installations.

How about using the bcrypt password hasing algorithm instead? There's
a Java implementation here:
http://www.mindrot.org/projects/jBCrypt/
...which is on Maven and ISC/BSD licensed, and appears to be pretty
simple to use. It should be straightforward to integrate this.

Any further thoughts? grkvlt, with your security auditing experience,
do you have any comments?

Richard.

Mime
View raw message