[
https://issues.apache.org/jira/browse/DERBY-5550?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13239420#comment-13239420
]
Knut Anders Hatlen commented on DERBY-5550:
-------------------------------------------
Thanks, Kim. The changes look good and complete to me. Two tiny comments:
- Maybe we should just say "difficult" instead of "extremely difficult" in the
description of the saltLength property?
- In the NATIVE authentication topic, we now say: "Two related properties are
derby.authentication.builtin.saltLength and
derby.authentication.builtin.iterations, which make the encrypted passwords
harder for attackers to decipher."
The properties don't necessarily make it harder for attackers, for example if
they are set to values lower than their defaults. So maybe change the last
clause to "which may be used to ..."?
Another small issue with that sentence is that it says the passwords are
encrypted in the database (that's also said some other places in the NATIVE
authentication topic). The passwords are hashed, not encrypted, so we might
want to change "encrypted passwords" -> "hashed passwords" and maybe also
"decipher" -> "crack".
> Document derby.authentication.builtin.saltLength and
> derby.authentication.builtin.iterations
> --------------------------------------------------------------------------------------------
>
> Key: DERBY-5550
> URL: https://issues.apache.org/jira/browse/DERBY-5550
> Project: Derby
> Issue Type: Improvement
> Components: Documentation
> Affects Versions: 10.9.0.0
> Reporter: Knut Anders Hatlen
> Assignee: Kim Haase
> Attachments: DERBY-5550.diff, DERBY-5550.stat, DERBY-5550.zip
>
>
> DERBY-5539 introduced two new properties that control how BUILTIN stores
> credentials:
> - derby.authentication.builtin.saltLength (default: 16)
> This property specifies the number of bytes of random salt that will be added
> to the credentials before hashing them. (Purpose of the property: Make it
> infeasible to construct rainbow tables.)
> - derby.authentication.builtin.iterations (default: 1000, minimum: 1)
> This property specifies the number of times to apply the hash function (which
> is specified by derby.authentication.builtin.algorithm) on the credentials.
> (Purpose of the property: Slow down attackers as they'll need to spend more
> time calculating hashes.)
> Both the properties have effect only if BUILTIN authentication is enabled and
> derby.authentication.builtin.algorithm has a non-null value.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
