incubator-jspwiki-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Jaquith (JIRA)" <>
Subject [jira] Resolved: (JSPWIKI-20) Password hash should be salted
Date Wed, 14 May 2008 20:08:55 GMT


Andrew Jaquith resolved JSPWIKI-20.

    Resolution: Fixed
      Assignee: Andrew Jaquith  (was: Janne Jalkanen)

Fixed in 2.7.0-svn-24. The change notes:

* Passwords are now salted and hashed per RFC 2307. Every password is salted with a 8-byte
random salt.

* The sort-of-secret "share container user accounts with JDBCUserDatabase" option has been
permanently removed, and will not be replaced. This was previously added to make it easier
for users to add themselves to JDBC-based container realms. However, the switch to salted
passwords precludes the continued use of this option. So it's gone and won't come back.

* Added a new class CryptoUtil that allows admins to generate SSHA password hashes (and verify
an existing password given a supplied hash) at the command line. See the Javadoc for com.ecyrd.jspwiki.util.CryptoUtil
for details.

> Password hash should be salted
> ------------------------------
>                 Key: JSPWIKI-20
>                 URL:
>             Project: JSPWiki
>          Issue Type: Improvement
>          Components: Authentication&Authorization
>    Affects Versions: 2.5.139-beta
>            Reporter: Janne Jalkanen
>            Assignee: Andrew Jaquith
>             Fix For: 2.8
>         Attachments: jspwiki-20.patch
> The password hash is calculated as a direct SHA1-digest of the password.  Unfortunately
this means that it's vulnerable to brute-force attacks - there are many web sites which store
SHA1 hashes of common passwords.  The key space in most languages is pretty small... So the
password should really be properly salted with preferably a long, random string.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message