tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gabriel Sánchez Martínez <>
Subject Re: Re: support for salted passwords
Date Sun, 02 Feb 2014 16:56:59 GMT

On 02/02/2014 02:51 AM, Nick Williams wrote:
> On Feb 2, 2014, at 1:23 AM, Gabriel E. Sánchez Martínez wrote:
>> Hi developers,
>> I am very new to Tomcat but am already getting my feet wet with a web application.
 A requirement for this application is form-based password authentication, and I would like
to store passwords in a database using salted SHA-512 digests
> I can't speak to most of this email, but don't do this. SHA-x is a *fast* hashing algorithm.
It's not designed for passwords. The problem with fast hashing algorithms is that they are
*very* susceptible to rainbow table attacks. Modern password-hacking systems with 24 GPUs
can calculate billions of MD5 and SHA-x hash attacks per second.
> I strongly recommend you use a *slow* hashing algorithm such as bcrypt, which is designed
specifically for hashing passwords. These algorithms use more than just CPU/GPU operations
(such as memory). Password hacking systems can only calculate thousands of these per second
instead of millions. It's much better protection in case your password database is ever stolen.

Thanks Nick.  I will look into the options available for digest 
algorithms.  The code I attached works with any digest algorithm, 
though.  So I think (but do tell me if I am missing something) that the 
question of whether there is interest to include a realm that supports 
salted passwords still stands.  Or more generally, it seems that the 
realms that ship with Tomcat (specifically the ones based on password 
storage) provide weak security in the event of a compromised password 
table, which suggests two things.  First, the documentation should be 
improved so that newcomers (like me) better understand the risks 
associated with using the standard realms, and they are better placed to 
implement more secure realms.  Second, Tomcat should ship with a more 
secure password storage realm options so that newcomers get better 
security out of the box.  The defaults should be strong salted digests, 
not cleartext or unsalted digests. Do people agree?

>> , recognizing that this is not state-of-the-art password protection, but it is a
more secure method than unsalted digests in the event that the password table is compromised.
>> <snip />
> Nick

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message