On Sun, Oct 31, 2010 at 9:49 AM, Kiran Ayyagari <email@example.com>
Currently we don't have a feature to automatically hash the passwords before
storing them, I would like to propose that we should add this feature.
I would like to add a new interceptor to support this feature:
1. It is easy to enable/disable without adding some more config options
2. We can place at the appropriate position in the interceptor chain so that
changelog and journals will also have the same password as the DIT
We currently support the following hashing algorithms
SHA, SSHA, MD5, SMD5, Crypt, SHA-2 (256, 384, 512 along with their
Should be sufficient.
Studio might need to change its 'password change' screen by adding an option
to send the plain text password though the original password is hashed.
(AFAIU currently studio hashes on the client side and sends)
Thanks for taking this on Kiran. Any bit of additional security is great. I know you've thought through all the relevant implications this might have with any other authentication mechanisms we have.