tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 51966] Tomcat does not support ssha hashed passwords in all contexts
Date Wed, 05 Feb 2014 22:23:35 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=51966

--- Comment #16 from Christopher Schultz <chris@christopherschultz.net> ---
(In reply to S from comment #15)
> Hi,
> 
> what I'm doing is to hash the user-entered password 999x on the client with
> a salt (visible in the JS code) on the OK-Click in my login form. Then I
> send it to Tomcat and have it compared to the stored hash (1000x hashed with
> the same salt).

This is awful security. When the client is involved in authentication, that's
called not being authenticated.

In production, we salt-hash 75000 times by default, and should probably do
more. 10k times isn't nearly enough.

> This way there is never send a unhashed password (even not when you are not
> using https, which you shouldn't) and you can configure the number of
> pre-hashing to your needs (to be safe against generating rainbow tables for
> your salt). This might be useful in times of modern GPUs executing billions
> of SHA1-hashes per second (2300M/s SHA1 hashes in 2009).

Shouldn't use HTTPS, or shouldn't send otherwise-unencrypted passwords over
HTTPS? Both of those sound like bad advice.

Nobody should be using SHA-1 anymore for authentication.

Realistically, nobody should be using crypto hashing for password hashing,
anyway.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message