Return-Path: X-Original-To: apmail-cassandra-user-archive@www.apache.org Delivered-To: apmail-cassandra-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id A54686A9D for ; Wed, 18 May 2011 13:20:15 +0000 (UTC) Received: (qmail 87374 invoked by uid 500); 18 May 2011 13:20:13 -0000 Delivered-To: apmail-cassandra-user-archive@cassandra.apache.org Received: (qmail 87337 invoked by uid 500); 18 May 2011 13:20:13 -0000 Mailing-List: contact user-help@cassandra.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@cassandra.apache.org Delivered-To: mailing list user@cassandra.apache.org Received: (qmail 87329 invoked by uid 99); 18 May 2011 13:20:13 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 18 May 2011 13:20:13 +0000 X-ASF-Spam-Status: No, hits=0.9 required=5.0 tests=RCVD_NUMERIC_HELO,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of gcdcu-cassandra-user-1@m.gmane.org designates 80.91.229.12 as permitted sender) Received: from [80.91.229.12] (HELO lo.gmane.org) (80.91.229.12) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 18 May 2011 13:20:05 +0000 Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1QMgf2-0004BC-Dp for user@cassandra.apache.org; Wed, 18 May 2011 15:19:36 +0200 Received: from 38.98.147.130 ([38.98.147.130]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 18 May 2011 15:19:36 +0200 Received: from tzz by 38.98.147.130 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 18 May 2011 15:19:36 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: user@cassandra.apache.org From: Ted Zlatanov Subject: Re: Questions about using MD5 encryption with SimpleAuthenticator Date: Wed, 18 May 2011 08:19:25 -0500 Organization: =?utf-8?B?0KLQtdC+0LTQvtGAINCX0LvQsNGC0LDQvdC+0LI=?= @ Cienfuegos Lines: 22 Message-ID: <87r57wrvs2.fsf@lifelogs.com> References: <74770DAE-665B-41D4-8A76-3FBD1BA0A27C@thelastpickle.com> Mime-Version: 1.0 Content-Type: text/plain X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: 38.98.147.130 X-Face: bd.DQ~'29fIs`T_%O%C\g%6jW)yi[zuz6;d4V0`@y-~$#3P_Ng{@m+e4o<4P'#(_GJQ%TT= D}[Ep*b!\e,fBZ'j_+#"Ps?s2!4H2-Y"sx" User-Agent: Gnus/5.110018 (No Gnus v0.18) Emacs/24.0.50 (gnu/linux) Cancel-Lock: sha1:cKsKn8QFP07JjXMR48SVXtXxuMM= On Tue, 17 May 2011 15:52:22 -0700 Sameer Farooqui wrote: SF> Would still be nice though to use the bcrypt hash over MD5 for stronger SF> security. I used MD5 when I proposed SimpleAuthenticator for two reasons: 1) SimpleAuthenticator is supposed to be a demo of the authentication interface. It can be used for testing and trivial setups, but I wouldn't use it in production. So it's meant to get you going easily, not to serve you long-term. 2) MD5 is built into Java. At the time, bcrypt and SHA-* were not. I used MD5 only so the passwords are not stored in the clear, not to provide production-level security. You should consider carefully the implications of storing passwords in a file on a database server, no matter how they are encrypted. It would be better to write a trivial AD/LDAP/etc. authenticator that fits your specific needs and doesn't rely on a local file. Ted