tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 51966] Tomcat does not support ssha hashed passwords in all contexts
Date Mon, 27 Aug 2012 21:00:16 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=51966

--- Comment #11 from david@leppik.net ---
Unfortunately, just adding salt to hashes doesn't provide much more security
these days.  Modern password hashing algorithms, such as bcrypt, include the
salt as part of the hash.  What's more, the current digest algorithms are
woefully out of date, so just adding salt will just extend the illusion that
they are secure.

A better solution would be to allow users to plug in a digest algorithm that
they trust, and perhaps to bundle a few high quality third-party algorithms as
well.

I'm going to create a separate bug report with more details.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message