incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Janne Jalkanen (JIRA)" <j...@apache.org>
Subject [jira] Commented: (JSPWIKI-20) Password hash should be salted
Date Sun, 18 Nov 2007 13:07:43 GMT

    [ https://issues.apache.org/jira/browse/JSPWIKI-20?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12543372
] 

Janne Jalkanen commented on JSPWIKI-20:
---------------------------------------

Folks; should we fix this in 2.6 already, or should we wait?  Whenever it is fixed, it *will*
break the existing password databases.

One option would of course be to add the hash to the password itself (like old UNIX passwords).
 That way new passwords would be salted, but old passwords could still be read.  E.g.

{SHA1}foobar,4389028409328042021093801923

where "foobar" is the salt.

The other possibility is to have a known, fixed, hard-coded salt value; or user-settable salt
value.

> Password hash should be salted
> ------------------------------
>
>                 Key: JSPWIKI-20
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-20
>             Project: JSPWiki
>          Issue Type: Improvement
>          Components: Security
>    Affects Versions: 2.5.139-beta
>            Reporter: Janne Jalkanen
>
> The password hash is calculated as a direct SHA1-digest of the password.  Unfortunately
this means that it's vulnerable to brute-force attacks - there are many web sites which store
SHA1 hashes of common passwords.  The key space in most languages is pretty small... So the
password should really be properly salted with preferably a long, random string.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message