syncope-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Francesco Chicchiriccò <ilgro...@apache.org>
Subject Re: [DISCUSS] - Change default password algorithm for 2.1.0
Date Fri, 14 Jul 2017 11:09:18 GMT
On 14/07/2017 11:54, Colm O hEigeartaigh wrote:
> OK thanks. Well I'd say that "SSHA256" would be best, WDYT?
>
> BTW I'm a bit dubious about "SECRET_KEY = DEFAULT_SECRET_KEY;" in
> Encryptor. If SECRET_KEY is null we should probably throw an exception...

We recently took a different approach for default admin password, 
default JWS key, etc

https://issues.apache.org/jira/browse/SYNCOPE-1119

No?

> On Fri, Jul 14, 2017 at 10:48 AM, Francesco Chicchiriccò <ilgrosso@apache.org>
wrote:
>
>> On 14/07/2017 11:45, Colm O hEigeartaigh wrote:
>>
>>> How does the salt configuration work for "SSHA256"? Is it stored in
>>> security.properties?
>>>
>> Password values are encrypted by
>>
>> https://github.com/apache/syncope/blob/master/core/spring/
>> src/main/java/org/apache/syncope/core/spring/security/Encryptor.java
>>
>> with configuration from security.properties
>>
>> Regards.
>>
>> On Fri, Jul 14, 2017 at 10:41 AM, Francesco Chicchiriccò <
>>> ilgrosso@apache.org> wrote:
>>>
>>> On 14/07/2017 11:40, Colm O hEigeartaigh wrote:
>>>> I guess SHA-256 would be a straightforward replacement. Maybe we should
>>>>> instead move to a salted hash though?
>>>>>
>>>>> Well, just set your preference among
>>>> https://github.com/apache/syncope/blob/master/common/lib/
>>>> src/main/java/org/apache/syncope/common/lib/types/CipherAlgorithm.java
>>>>
>>>> :-)
>>>>
>>>> Regards.
>>>>
>>>>
>>>> On Fri, Jul 14, 2017 at 9:52 AM, Francesco Chicchiriccò <
>>>>
>>>>> ilgrosso@apache.org> wrote:
>>>>>
>>>>> On 14/07/2017 10:48, Colm O hEigeartaigh wrote:
>>>>>
>>>>>> Should we change the default password algorithm from SHA1 for 2.1.0?
>>>>>> It's
>>>>>>
>>>>>>> probably time to migrate from SHA1 IMO.
>>>>>>>
>>>>>>> Makes sense.
>>>>>>>
>>>>>> The only problem I could see if when pulling hashed password values
>>>>>> from
>>>>>> LDAP, where SHA1 is still quite common. Not a big deal, anyway.
>>>>>>
>>>>>> Which algorithm do you propose?
>>>>>>
>>>>>> Regards.

-- 
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/


Mime
View raw message