tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [Bug 51966] Tomcat does not support ssha hashed passwords in all contexts
Date Thu, 06 Feb 2014 00:22:01 GMT

--- Comment #18 from Gabriel <> ---
The only advantage I see of hashing in the client side is not storing a String
with the cleartext password in memory.  Strings are immutable objects, so they
cannot be cleared once password processing is completed.  If no references
point to it, then the garbage collector should eventually do the job.  I've
seen that careful password authentication implementations use a char array for
this reason.  Char arrays are mutable, so as soon as password processing is
complete, all of the array elements are zeroed out, reducing the time an
attacker might have to read the password off memory.  Tomcat's password
authentication methods should follow this best practice and be changed to do
the handling with char[].  

A risk of receiving the cleartext password is that someone with access to the
server may write code to store passwords, and if users use the same password
for other web accounts, then bad things can happen.  Hashing might make it just
a bit less easy for an insider to do that.  They can still do brute force and
dictionary attacks, of course.  So it doesn't go a long way at all.  

Hashing on the server is necessary to protect passwords in the event a
malicious person obtains access to the password table, even if hashing was done
on the client side.  Client side hashing by itself would make no difference

And of course, no kind of hashing protects from weak passwords or stolen
passwords from the clients via key loggers and whatnot.  

Should we change the meta data of this thread to reflect the direction the
discussion has taken?  Is this still a Tomcat 6 issue, or should we say it is a
proposed new feature for Tomcat 8 revisions?  Or do you think that all versions
of Tomcat should be updated?

You are receiving this mail because:
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message