cayenne-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aristedes Maniatis <...@ish.com.au>
Subject Re: hashing, best practices?
Date Fri, 08 Aug 2008 00:26:51 GMT

On 08/08/2008, at 5:00 AM, Michael Gentry wrote:

> public void setPassword(String newPassword)
> {
>  super.setPassword(sha1(newPassword));
> }

That's close to what we do too. Some small caveats:

* think carefully about how you implement validation like 'password  
length is more than 4 characters' since the hash will always be more  
than 4 characters

* salt the password before hashing it (for example with the username  
and some other random string) otherwise you make it easy for someone  
to change the database value to a known password. That is, the  
password 'mypass' should hash to two different results for two  
different users.

* make sure you don't getPassword and then setPassword somewhere in  
your code otherwise you'll keep rehashing the hashed version.

Cheers

Ari



-------------------------->
ish
http://www.ish.com.au
Level 1, 30 Wilson Street Newtown 2042 Australia
phone +61 2 9550 5001   fax +61 2 9550 4001
GPG fingerprint CBFB 84B4 738D 4E87 5E5C  5EFA EF6A 7D2E 3E49 102A



Mime
View raw message