brooklyn-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Richard Downer <>
Subject BROOKLYN-15: web-console authentication: store hashed passwords in
Date Tue, 01 Jul 2014 09:49:16 GMT
Aled recently opened this Jira:

While I agree with Aled's reason for opening a ticket for this
feature, I think that the suggested way of doing it has weak security.

The Jira ticket's suggestion is to generate a hash like this:
    echo -n aled:mypassword | shasum -a 256

and then add it to

The problem is that the hash is unsalted. The "aled:" prefix is weak,
because by inspecting I can deduce that the SHA256
string will begin with "aled:" and generate rainbow tables using that

I appreciate the intention to do something appropriate, fast, and then
build in a more sophisticated system later; however I believe that
unsalted hashes will not pass muster with a security audit, and once
it has been added to Brooklyn, it will be troublesome to remove for
fear of breaking existing installations.

How about using the bcrypt password hasing algorithm instead? There's
a Java implementation here:
...which is on Maven and ISC/BSD licensed, and appears to be pretty
simple to use. It should be straightforward to integrate this.

Any further thoughts? grkvlt, with your security auditing experience,
do you have any comments?


View raw message