Return-Path: Delivered-To: apmail-incubator-jspwiki-dev-archive@locus.apache.org Received: (qmail 43077 invoked from network); 11 May 2008 17:28:19 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 11 May 2008 17:28:19 -0000 Received: (qmail 62554 invoked by uid 500); 11 May 2008 17:28:21 -0000 Delivered-To: apmail-incubator-jspwiki-dev-archive@incubator.apache.org Received: (qmail 62543 invoked by uid 500); 11 May 2008 17:28:21 -0000 Mailing-List: contact jspwiki-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: jspwiki-dev@incubator.apache.org Delivered-To: mailing list jspwiki-dev@incubator.apache.org Received: (qmail 62532 invoked by uid 99); 11 May 2008 17:28:21 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 11 May 2008 10:28:21 -0700 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.140] (HELO brutus.apache.org) (140.211.11.140) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 11 May 2008 17:27:35 +0000 Received: from brutus (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id 9B94D234C10F for ; Sun, 11 May 2008 10:27:55 -0700 (PDT) Message-ID: <1552104126.1210526875630.JavaMail.jira@brutus> Date: Sun, 11 May 2008 10:27:55 -0700 (PDT) From: "Janne Jalkanen (JIRA)" To: jspwiki-dev@incubator.apache.org Subject: [jira] Commented: (JSPWIKI-20) Password hash should be salted In-Reply-To: <2849133.1194205070952.JavaMail.jira@brutus> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/JSPWIKI-20?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12595923#action_12595923 ] Janne Jalkanen commented on JSPWIKI-20: --------------------------------------- I would like to get this in somehow pretty soon. Andrew, opinions? > Password hash should be salted > ------------------------------ > > Key: JSPWIKI-20 > URL: https://issues.apache.org/jira/browse/JSPWIKI-20 > Project: JSPWiki > Issue Type: Improvement > Components: Authentication&Authorization > Affects Versions: 2.5.139-beta > Reporter: Janne Jalkanen > Assignee: Janne Jalkanen > Fix For: 2.8 > > Attachments: jspwiki-20.patch > > > The password hash is calculated as a direct SHA1-digest of the password. Unfortunately this means that it's vulnerable to brute-force attacks - there are many web sites which store SHA1 hashes of common passwords. The key space in most languages is pretty small... So the password should really be properly salted with preferably a long, random string. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.