incubator-cassandra-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aaron Morton <aa...@thelastpickle.com>
Subject Re: Questions about using MD5 encryption with SimpleAuthenticator
Date Wed, 18 May 2011 21:33:35 GMT
Also if you were wearing an aluminium foil hat you may also be concerned about how the password
is sent to the server.

Again though, see previous "I am not a security guy" comment and helpful link from Jonathan
confirming that statement :)
Cheers

-----------------
Aaron Morton
Freelance Cassandra Developer
@aaronmorton
http://www.thelastpickle.com

On 19/05/2011, at 1:19 AM, Ted Zlatanov <tzz@lifelogs.com> wrote:

> On Tue, 17 May 2011 15:52:22 -0700 Sameer Farooqui <cassandralabs@gmail.com> wrote:

> 
> SF> Would still be nice though to use the bcrypt hash over MD5 for stronger
> SF> security.
> 
> I used MD5 when I proposed SimpleAuthenticator for two reasons:
> 
> 1) SimpleAuthenticator is supposed to be a demo of the authentication
> interface.  It can be used for testing and trivial setups, but I
> wouldn't use it in production.  So it's meant to get you going easily,
> not to serve you long-term.
> 
> 2) MD5 is built into Java.  At the time, bcrypt and SHA-* were not.  I
> used MD5 only so the passwords are not stored in the clear, not to
> provide production-level security.
> 
> You should consider carefully the implications of storing passwords in a
> file on a database server, no matter how they are encrypted.  It would
> be better to write a trivial AD/LDAP/etc. authenticator that fits your
> specific needs and doesn't rely on a local file.
> 
> Ted
> 

Mime
View raw message