db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Knut Anders Hatlen (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DERBY-5550) Document derby.authentication.builtin.saltLength and derby.authentication.builtin.iterations
Date Tue, 27 Mar 2012 13:10:41 GMT

    [ https://issues.apache.org/jira/browse/DERBY-5550?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13239420#comment-13239420
] 

Knut Anders Hatlen commented on DERBY-5550:
-------------------------------------------

Thanks, Kim. The changes look good and complete to me. Two tiny comments:

- Maybe we should just say "difficult" instead of "extremely difficult" in the description
of the saltLength property?

- In the NATIVE authentication topic, we now say: "Two related properties are derby.authentication.builtin.saltLength
and derby.authentication.builtin.iterations, which make the encrypted passwords harder for
attackers to decipher."

The properties don't necessarily make it harder for attackers, for example if they are set
to values lower than their defaults. So maybe change the last clause to "which may be used
to ..."?

Another small issue with that sentence is that it says the passwords are encrypted in the
database (that's also said some other places in the NATIVE authentication topic). The passwords
are hashed, not encrypted, so we might want to change "encrypted passwords" -> "hashed
passwords" and maybe also "decipher" -> "crack".
                
> Document derby.authentication.builtin.saltLength and derby.authentication.builtin.iterations
> --------------------------------------------------------------------------------------------
>
>                 Key: DERBY-5550
>                 URL: https://issues.apache.org/jira/browse/DERBY-5550
>             Project: Derby
>          Issue Type: Improvement
>          Components: Documentation
>    Affects Versions: 10.9.0.0
>            Reporter: Knut Anders Hatlen
>            Assignee: Kim Haase
>         Attachments: DERBY-5550.diff, DERBY-5550.stat, DERBY-5550.zip
>
>
> DERBY-5539 introduced two new properties that control how BUILTIN stores credentials:
> - derby.authentication.builtin.saltLength (default: 16)
> This property specifies the number of bytes of random salt that will be added to the
credentials before hashing them. (Purpose of the property: Make it infeasible to construct
rainbow tables.)
> - derby.authentication.builtin.iterations (default: 1000, minimum: 1)
> This property specifies the number of times to apply the hash function (which is specified
by derby.authentication.builtin.algorithm) on the credentials. (Purpose of the property: Slow
down attackers as they'll need to spend more time calculating hashes.)
> Both the properties have effect only if BUILTIN authentication is enabled and derby.authentication.builtin.algorithm
has a non-null value.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message