incubator-cassandra-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ted Zlatanov <...@lifelogs.com>
Subject Re: Questions about using MD5 encryption with SimpleAuthenticator
Date Wed, 18 May 2011 13:19:25 GMT
On Tue, 17 May 2011 15:52:22 -0700 Sameer Farooqui <cassandralabs@gmail.com> wrote: 

SF> Would still be nice though to use the bcrypt hash over MD5 for stronger
SF> security.

I used MD5 when I proposed SimpleAuthenticator for two reasons:

1) SimpleAuthenticator is supposed to be a demo of the authentication
interface.  It can be used for testing and trivial setups, but I
wouldn't use it in production.  So it's meant to get you going easily,
not to serve you long-term.

2) MD5 is built into Java.  At the time, bcrypt and SHA-* were not.  I
used MD5 only so the passwords are not stored in the clear, not to
provide production-level security.

You should consider carefully the implications of storing passwords in a
file on a database server, no matter how they are encrypted.  It would
be better to write a trivial AD/LDAP/etc. authenticator that fits your
specific needs and doesn't rely on a local file.

Ted


Mime
View raw message