On Thu, Nov 1, 2012 at 9:24 AM, Umair Kayani <[email protected]> wrote: > Helix, Using SSL was our backup plan. DSpace keeps the hash of the password > in database so I was wondering at what servlet this change occur. If request > is going with clear password then it must be converting it to match with > database password of the user for authentication. I need to know that code > file or method for my understanding at least. Though I checked > AuthenticationManager, AuthenticationMethod and eperson code files and found > nothing there except a hashcode method in eperson code file. Can anyone > confirm if this is the one which dspace uses to convert plain text password > to hashcode and then match that hashcode with database hashcode.
As I said, I don't want to give bad security advice, but João already spilled the beans. If you have to do it, at least do it right! Here's the change that added salted hashes, so it touches all the places that deal with hashes: https://github.com/DSpace/DSpace/pull/41/files So now that you're going to do hashing in Javascript, be aware that: 1) Logging in without Javascript enabled will not work. 2) The hash and salt will be transferred in plain text, so weak passwords can be brute-forced if this information is sniffed. Make sure to not allow users to set weak passwords, there surely are JS libraries for that. You didn't answer my question, why not use HTTPS in the first place? Regards, ~~helix84 Compulsory reading: DSpace Mailing List Etiquette https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct _______________________________________________ DSpace-tech mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dspace-tech
