incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Jaquith (JIRA)" <j...@apache.org>
Subject [jira] Commented: (JSPWIKI-20) Password hash should be salted
Date Wed, 14 May 2008 20:12:55 GMT

    [ https://issues.apache.org/jira/browse/JSPWIKI-20?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12596923#action_12596923
] 

Andrew Jaquith commented on JSPWIKI-20:
---------------------------------------

One thing I should have added in the Javadoc is that hashes are updated transparently whenever
the password is changed, OR upon successful login. Otherwise, if the hash is still in the
old format, we keep it that way. It's quite transparent to the user and admin.

> Password hash should be salted
> ------------------------------
>
>                 Key: JSPWIKI-20
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-20
>             Project: JSPWiki
>          Issue Type: Improvement
>          Components: Authentication&Authorization
>    Affects Versions: 2.5.139-beta
>            Reporter: Janne Jalkanen
>            Assignee: Andrew Jaquith
>             Fix For: 2.8
>
>         Attachments: jspwiki-20.patch
>
>
> The password hash is calculated as a direct SHA1-digest of the password.  Unfortunately
this means that it's vulnerable to brute-force attacks - there are many web sites which store
SHA1 hashes of common passwords.  The key space in most languages is pretty small... So the
password should really be properly salted with preferably a long, random string.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message