incubator-cassandra-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Morten Wegelbye Nissen <>
Subject Further enhancments in j.a.c.auth
Date Tue, 09 Mar 2010 21:42:33 GMT
Hi All,

In simple authenticator its possible to configure passwords to be stored 
as MD5 sums - for a security sucker there is two problems here.
MD5 is broken[1].
There is no salt added to clear value, means if two users choose to have 
same password, the encoded values would be the same.
I suggest that someone add support for a alternative hashing algorithm. 
And that the hash is calculated with some prefix. (username maybe)

I know the present is better then having the passwords in cleartext. 
But, when a user choose to enable the password hashing, it's for a 
reason. And there is no reason to choose to jump into the common 
security pitfalls :)

btw. is it against the protocol to raise this kind of questions to this 
mailing list? Or should it be somewhere else?


[1]   (Back in 1995 it was recommended 
not to base further security on md5)

View raw message