tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Using multiple login pages
Date Tue, 04 Oct 2011 18:54:08 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martin,

On 10/4/2011 2:06 PM, appy74@dsl.pipex.com wrote:
> Not sure about which version of security I will use but I would
> like to accommodate MD5 verification into things.

Note that MD5 doesn't verify anything. It's just a hashing function that
can be used to fingerprint data. I highly recommend:

a. Switching to another hash function if you can: MD5 kind of sucks
b. Limit the amount of data that can be hashed by some reasonable amount
   (we use a 4096-character limit on passwords)
c. Salt your hashes in case someone steals your password database
   (Tomcat's realms are not sufficient for this: you'll have to build
    your own)

Tomcat's realms are all capable of hashing credentials based upon any
available hashing algorithm to the JVM.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6LVlAACgkQ9CaO5/Lv0PBLsgCeMfQ1lCblNw0lJwHnaK+FnmUK
zHEAn07N25ffZv5kwr679pk+zcIh6fOz
=/oVk
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message