db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Knut Anders Hatlen (JIRA)" <j...@apache.org>
Subject [jira] [Closed] (DERBY-3272) BUILTIN authentication: Passwords stored in a database are not hashed if also defined as system property
Date Fri, 28 Dec 2012 09:50:13 GMT

     [ https://issues.apache.org/jira/browse/DERBY-3272?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Knut Anders Hatlen closed DERBY-3272.
-------------------------------------

       Resolution: Fixed
    Fix Version/s: 10.9.1.0

This bug was fixed in 10.9.1.0 as part of DERBY-5507. Closing the issue.
                
> BUILTIN authentication: Passwords stored in a database are not hashed if also defined
as system property
> --------------------------------------------------------------------------------------------------------
>
>                 Key: DERBY-3272
>                 URL: https://issues.apache.org/jira/browse/DERBY-3272
>             Project: Derby
>          Issue Type: Bug
>          Components: Services
>    Affects Versions: 10.3.2.1
>         Environment: BUILTIN authentication enabled
>            Reporter: John H. Embretsen
>              Labels: derby_triage10_5_2
>             Fix For: 10.9.1.0
>
>         Attachments: noPasswordHash.sql
>
>
> Normally, passwords stored as database properties when using Derby's BUILTIN authentication
provider are hashed using the well-known SHA-1 algorithm (although this is most likely not
mentioned in the documentation). This makes it very hard for attackers to reconstruct the
actual password even if they are able to obtain the hashed password value from the database.
> However, if credentials for the same user are also defined programmatically, for example
on the command line, the password is not hashed before it is being stored in the database.
This could lead to surprises if, for example, a user is using system properties during development,
and decides to switch to database properties only before deployment, as recommended in the
documentation [1].
> Workaround: Do not specify the same user credentials programmatically when setting credentials
as database properties. For example, define a temporary user by using system properties when
storing real user credentials in the database.
> [1]: http://db.apache.org/derby/docs/dev/devguide/tdevcsecure82556.html

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message