directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny (JIRA)" <>
Subject [jira] [Commented] (DIRSERVER-1822) Same password can be used multiple times, when SSHA is used for password hash.
Date Thu, 11 Apr 2013 11:27:17 GMT


Emmanuel Lecharny commented on DIRSERVER-1822:

Peter, in the latest version, the password is stored as provided by the user (ie, not hashed)
in the password history. The hashing is done *after* the password has been stored in the history
as clear text.

Kiran is right here : the only possible issue is when the user provides an already hashed
password, then we can't determinate if the password has already been used.

> Same password can be used multiple times, when SSHA is used for password hash.
> ------------------------------------------------------------------------------
>                 Key: DIRSERVER-1822
>                 URL:
>             Project: Directory ApacheDS
>          Issue Type: Bug
>            Reporter: Peter Hmelak
>            Assignee: Kiran Ayyagari
> When using SSHA (salted SHA) for password hashing, no CONSTRAINT_VIOLATION (invalid reuse
of password present in password history) is thrown, if new password is the same as one already
in pwdHistory.
> I believe current implementation just compares new password hash, with with ones stored
in pwdHistory.
> And because of new salt, no two hashes are ever a-like, even though passwords are the
> Suggestion for fix:
> *Every* salt stored in pwdHistory should be used, together with new password when creating
password hashes, that are then compared with ones already stored in pwdHistory.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message