[
https://issues.apache.org/jira/browse/FELIX-5934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16650122#comment-16650122
]
Christian Schneider commented on FELIX-5934:
--------------------------------------------
If we have a fixed default password then I would keep it in the source code as
plain text to make sure it is obvious that this password is not secure.
I don't think hashing the default password makes any sense. It is just security
by obscurity. Hashing a password only makes sense if it is secret.
> The Felix Web Console stores unsalted hashed password
> -----------------------------------------------------
>
> Key: FELIX-5934
> URL: https://issues.apache.org/jira/browse/FELIX-5934
> Project: Felix
> Issue Type: Bug
> Components: Web Console
> Reporter: Antonio Sanso
> Priority: Major
> Attachments: FELIX-5934-patch.txt
>
>
> The Felix Web Console currently stores unsalted hashed password [0]
> This violates common security hygiene and industry standard.
> The suggestion is to either add a random salt or use a stronger Password
> Storage algorithm e.g. *Argon2* or *PBKDF2* *.* See [1]
>
>
> [0][https://github.com/apache/felix/blob/0bfe4ca7ebc6e81f0a9f4186a7ef58df4d92b4c9/webconsole/src/main/java/org/apache/felix/webconsole/internal/servlet/OsgiManager.java#L167]
> [1] https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
