tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [Bug 51966] Tomcat does not support ssha hashed passwords in all contexts
Date Sun, 02 Feb 2014 17:59:17 GMT

--- Comment #15 from S <> ---

what I'm doing is to hash the user-entered password 999x on the client with a
salt (visible in the JS code) on the OK-Click in my login form. Then I send it
to Tomcat and have it compared to the stored hash (1000x hashed with the same

This way there is never send a unhashed password (even not when you are not
using https, which you shouldn't) and you can configure the number of
pre-hashing to your needs (to be safe against generating rainbow tables for
your salt). This might be useful in times of modern GPUs executing billions of
SHA1-hashes per second (2300M/s SHA1 hashes in 2009).

You are receiving this mail because:
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message