-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Martin,
On 10/4/2011 2:06 PM, appy74@dsl.pipex.com wrote:
> Not sure about which version of security I will use but I would
> like to accommodate MD5 verification into things.
Note that MD5 doesn't verify anything. It's just a hashing function that
can be used to fingerprint data. I highly recommend:
a. Switching to another hash function if you can: MD5 kind of sucks
b. Limit the amount of data that can be hashed by some reasonable amount
(we use a 4096-character limit on passwords)
c. Salt your hashes in case someone steals your password database
(Tomcat's realms are not sufficient for this: you'll have to build
your own)
Tomcat's realms are all capable of hashing credentials based upon any
available hashing algorithm to the JVM.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6LVlAACgkQ9CaO5/Lv0PBLsgCeMfQ1lCblNw0lJwHnaK+FnmUK
zHEAn07N25ffZv5kwr679pk+zcIh6fOz
=/oVk
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
|