OK thanks. Well I'd say that "SSHA256" would be best, WDYT? BTW I'm a bit dubious about "SECRET_KEY = DEFAULT_SECRET_KEY;" in Encryptor. If SECRET_KEY is null we should probably throw an exception...
Colm. On Fri, Jul 14, 2017 at 10:48 AM, Francesco Chicchiriccò < ilgro...@apache.org> wrote: > On 14/07/2017 11:45, Colm O hEigeartaigh wrote: > >> How does the salt configuration work for "SSHA256"? Is it stored in >> security.properties? >> > > Password values are encrypted by > > https://github.com/apache/syncope/blob/master/core/spring/ > src/main/java/org/apache/syncope/core/spring/security/Encryptor.java > > with configuration from security.properties > > Regards. > > On Fri, Jul 14, 2017 at 10:41 AM, Francesco Chicchiriccò < >> ilgro...@apache.org> wrote: >> >> On 14/07/2017 11:40, Colm O hEigeartaigh wrote: >>> >>> I guess SHA-256 would be a straightforward replacement. Maybe we should >>>> instead move to a salted hash though? >>>> >>>> Well, just set your preference among >>> >>> https://github.com/apache/syncope/blob/master/common/lib/ >>> src/main/java/org/apache/syncope/common/lib/types/CipherAlgorithm.java >>> >>> :-) >>> >>> Regards. >>> >>> >>> On Fri, Jul 14, 2017 at 9:52 AM, Francesco Chicchiriccò < >>> >>>> ilgro...@apache.org> wrote: >>>> >>>> On 14/07/2017 10:48, Colm O hEigeartaigh wrote: >>>> >>>>> Should we change the default password algorithm from SHA1 for 2.1.0? >>>>> It's >>>>> >>>>>> probably time to migrate from SHA1 IMO. >>>>>> >>>>>> Makes sense. >>>>>> >>>>> The only problem I could see if when pulling hashed password values >>>>> from >>>>> LDAP, where SHA1 is still quite common. Not a big deal, anyway. >>>>> >>>>> Which algorithm do you propose? >>>>> >>>>> Regards. >>>>> >>>> > -- > Francesco Chicchiriccò > > Tirasa - Open Source Excellence > http://www.tirasa.net/ > > Member at The Apache Software Foundation > Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail > http://home.apache.org/~ilgrosso/ > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
