incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Janne Jalkanen (JIRA)" <j...@apache.org>
Subject [jira] Commented: (JSPWIKI-20) Password hash should be salted
Date Sat, 12 Apr 2008 20:37:04 GMT

    [ https://issues.apache.org/jira/browse/JSPWIKI-20?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12588313#action_12588313
] 

Janne Jalkanen commented on JSPWIKI-20:
---------------------------------------

I don't quite understand how LDAP is supposed to figure out what the salt is - from the examples
it looks like the salt is just simply appended to SSHA, but there is no indication in how
long the salt is.  Or am I missing something?

I am also worried about this: 
{quote}
Note: use of RFC 2307 Experimental passwords violates the Standard Track specification, RFC
2256, for user passwords and may lead to interoperability problems. 
{quote}

> Password hash should be salted
> ------------------------------
>
>                 Key: JSPWIKI-20
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-20
>             Project: JSPWiki
>          Issue Type: Improvement
>          Components: Authentication&Authorization
>    Affects Versions: 2.5.139-beta
>            Reporter: Janne Jalkanen
>            Assignee: Janne Jalkanen
>             Fix For: 2.8
>
>         Attachments: jspwiki-20.patch
>
>
> The password hash is calculated as a direct SHA1-digest of the password.  Unfortunately
this means that it's vulnerable to brute-force attacks - there are many web sites which store
SHA1 hashes of common passwords.  The key space in most languages is pretty small... So the
password should really be properly salted with preferably a long, random string.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message