tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [Bug 51966] Tomcat does not support ssha hashed passwords in all contexts
Date Mon, 27 Aug 2012 21:00:16 GMT

--- Comment #11 from ---
Unfortunately, just adding salt to hashes doesn't provide much more security
these days.  Modern password hashing algorithms, such as bcrypt, include the
salt as part of the hash.  What's more, the current digest algorithms are
woefully out of date, so just adding salt will just extend the illusion that
they are secure.

A better solution would be to allow users to plug in a digest algorithm that
they trust, and perhaps to bundle a few high quality third-party algorithms as

I'm going to create a separate bug report with more details.

You are receiving this mail because:
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message