cayenne-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Gentry" <blackn...@gmail.com>
Subject Re: hashing, best practices?
Date Fri, 08 Aug 2008 14:17:12 GMT
Yeah, I was drastically simplifying, but didn't mention it.

On Thu, Aug 7, 2008 at 8:26 PM, Aristedes Maniatis <ari@ish.com.au> wrote:
>
> On 08/08/2008, at 5:00 AM, Michael Gentry wrote:
>
>> public void setPassword(String newPassword)
>> {
>>  super.setPassword(sha1(newPassword));
>> }
>
> That's close to what we do too. Some small caveats:
>
> * think carefully about how you implement validation like 'password length
> is more than 4 characters' since the hash will always be more than 4
> characters
>
> * salt the password before hashing it (for example with the username and
> some other random string) otherwise you make it easy for someone to change
> the database value to a known password. That is, the password 'mypass'
> should hash to two different results for two different users.
>
> * make sure you don't getPassword and then setPassword somewhere in your
> code otherwise you'll keep rehashing the hashed version.
>
> Cheers
>
> Ari
>
>
>
> -------------------------->
> ish
> http://www.ish.com.au
> Level 1, 30 Wilson Street Newtown 2042 Australia
> phone +61 2 9550 5001   fax +61 2 9550 4001
> GPG fingerprint CBFB 84B4 738D 4E87 5E5C  5EFA EF6A 7D2E 3E49 102A
>
>
>

Mime
View raw message