incubator-cassandra-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jonathan Ellis <jbel...@gmail.com>
Subject Re: Further enhancments in j.a.c.auth
Date Tue, 09 Mar 2010 22:19:21 GMT
We should probably use http://www.mindrot.org/projects/jBCrypt/.
(Lots of background:
http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html)

We kind of have a nagging feeling though that rolling our own auth
framework in 2010 is the wrong approach.
http://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer
has been mentioned as an alternative.

The ML is the appropriate place for this, yes. :)

On Tue, Mar 9, 2010 at 3:42 PM, Morten Wegelbye Nissen <mwn@monit.dk> wrote:
> Hi All,
>
> In simple authenticator its possible to configure passwords to be stored as
> MD5 sums - for a security sucker there is two problems here.
> MD5 is broken[1].
> There is no salt added to clear value, means if two users choose to have
> same password, the encoded values would be the same.
> I suggest that someone add support for a alternative hashing algorithm. And
> that the hash is calculated with some prefix. (username maybe)
>
> I know the present is better then having the passwords in cleartext. But,
> when a user choose to enable the password hashing, it's for a reason. And
> there is no reason to choose to jump into the common security pitfalls :)
>
> btw. is it against the protocol to raise this kind of questions to this
> mailing list? Or should it be somewhere else?
>
> ./Morten
>
> [1] http://en.wikipedia.org/wiki/MD5   (Back in 1995 it was recommended not
> to base further security on md5)
>

Mime
View raw message