incubator-cassandra-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jonathan Ellis <>
Subject Re: Further enhancments in j.a.c.auth
Date Tue, 09 Mar 2010 22:19:21 GMT
We should probably use
(Lots of background:

We kind of have a nagging feeling though that rolling our own auth
framework in 2010 is the wrong approach.
has been mentioned as an alternative.

The ML is the appropriate place for this, yes. :)

On Tue, Mar 9, 2010 at 3:42 PM, Morten Wegelbye Nissen <> wrote:
> Hi All,
> In simple authenticator its possible to configure passwords to be stored as
> MD5 sums - for a security sucker there is two problems here.
> MD5 is broken[1].
> There is no salt added to clear value, means if two users choose to have
> same password, the encoded values would be the same.
> I suggest that someone add support for a alternative hashing algorithm. And
> that the hash is calculated with some prefix. (username maybe)
> I know the present is better then having the passwords in cleartext. But,
> when a user choose to enable the password hashing, it's for a reason. And
> there is no reason to choose to jump into the common security pitfalls :)
> btw. is it against the protocol to raise this kind of questions to this
> mailing list? Or should it be somewhere else?
> ./Morten
> [1]   (Back in 1995 it was recommended not
> to base further security on md5)

View raw message