We should probably use http://www.mindrot.org/projects/jBCrypt/. (Lots of background: http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html)
We kind of have a nagging feeling though that rolling our own auth framework in 2010 is the wrong approach. http://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer has been mentioned as an alternative. The ML is the appropriate place for this, yes. :) On Tue, Mar 9, 2010 at 3:42 PM, Morten Wegelbye Nissen <m...@monit.dk> wrote: > Hi All, > > In simple authenticator its possible to configure passwords to be stored as > MD5 sums - for a security sucker there is two problems here. > MD5 is broken[1]. > There is no salt added to clear value, means if two users choose to have > same password, the encoded values would be the same. > I suggest that someone add support for a alternative hashing algorithm. And > that the hash is calculated with some prefix. (username maybe) > > I know the present is better then having the passwords in cleartext. But, > when a user choose to enable the password hashing, it's for a reason. And > there is no reason to choose to jump into the common security pitfalls :) > > btw. is it against the protocol to raise this kind of questions to this > mailing list? Or should it be somewhere else? > > ./Morten > > [1] http://en.wikipedia.org/wiki/MD5 (Back in 1995 it was recommended not > to base further security on md5) >
