[
https://jira.duraspace.org/browse/DS-861?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20455#action_20455
]
Samuel Ottenhoff edited comment on DS-861 at 5/24/11 1:29 PM:
--------------------------------------------------------------
It should be possible to re-encrypt all user passwords using the dspace
command-line tool.
Adding a prefix to the user password will be enough for the code to know that
the password has been salted and re-hashed. The user changing the password will
then result in a "clean" (non-prefixed) salted, hashed password.
http://source.sakaiproject.org/viewsvn/kernel/trunk/kernel-impl/src/main/java/org/sakaiproject/user/impl/ReEncryptPasswords.java
was (Author: ottenhoffs):
It should be possible to re-encrypt all user passwords using the dspace
command-line tool.
Adding a prefix to the user password will be enough for the code to know that
the password has been salted and re-hashed. The user changing the password will
then result in a "clean" (non-prefixed) salted, hashed password.
> Salt PasswordAuthentication
> ---------------------------
>
> Key: DS-861
> URL: https://jira.duraspace.org/browse/DS-861
> Project: DSpace
> Issue Type: Improvement
> Components: DSpace API
> Affects Versions: 1.7.0
> Reporter: Alex Lemann
>
> DSpace does not store and use salted hash passwords for local database based
> authentication (PasswordAuthentication). This constitutes a security risk in
> that given a database dump an attacker can more easily crack passwords using
> a rainbow table. For more information see the wikipedia article on salting
> password hashes:
> http://en.wikipedia.org/wiki/Salt_(cryptography)
> Possible Tasks:
> Create new configuration parameter for the salt value
> Automatically generate a securely random hash for new projects
> Document new configuration option & install information
> Store salted hashes in passwords in DB
> Use salt for authentication
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.duraspace.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery,
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now.
http://p.sf.net/sfu/quest-d2dcopy1
_______________________________________________
Dspace-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-devel
