portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From j...@apache.org
Subject [jira] Created: (JS2-13) Security Component: Password protection enhancements
Date Thu, 15 Apr 2004 21:59:43 GMT

  A new issue has been created in JIRA.

View the issue:

Here is an overview of the issue:
        Key: JS2-13
    Summary: Security Component: Password protection enhancements
       Type: New Feature

     Status: Unassigned
   Priority: Minor

    Project: Jetspeed 2

   Reporter: David Le Strat

    Created: Thu, 15 Apr 2004 2:58 PM
    Updated: Thu, 15 Apr 2004 2:58 PM
Environment: Security Component

Submitted by Lester Ward.

Password protection features to the
security model used for J2 that will enhance security significantly,
particularly against dictionary attacks on the database.
1) Salted passwords. Protects against batched dictionary attacks.
2) Variable security. Basically a per user settable counter that sets how many times a hash
function is repeated. Repeating the hash does not improve security of a given password, but
rather intentionally slows down the password check and, therefore, makes dictionary attacks
significantly more expensive for the attacker. Further, it can be tuned per user so that passwords
of some users take longer to dictionary attack than others.
3) Password fields at least large enough to hold hashed SHA-256.

Not as important, but a "nice to have":
4) Variable algorithm. A per user setting that indicates what algorithm is used to validate
the user. This is useful really
only to solve on particular problem: if you later decide to migrate to a new algorithm --
moving from MD5 to SHA-256, say -- how do you do so without resetting everyone's password?
For most systems, you cannot just rehash the password under the new system, because you only
have the encrypted version and cannot generate the plaintext. If, however, you had a setting
that indicates what algorithm was used, you can do a migration gradually. That is, next time
that user logs on (which is validated under the old system), you can make him change the password,
saving the new one under the new system. This sounds a bit unlikely, I know, but I've had
to migrate two different systems to a new password algorithm and it was not pleasant because
the systems lacked this feature.

This message is automatically generated by JIRA.

If you think it was sent incorrectly contact one of the administrators:

If you want more information on JIRA, or have a bug to report see:

To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org

View raw message