Hello Joakin, John and Greg, Thanks a lot for your prompt reply, this has helped me a great deal. I will go ahead with using the OBF format in my configurations.
Thanks, Smita On Fri, Jul 16, 2021 at 2:55 AM Greg Wilkins <gr...@webtide.com> wrote: > > John, > > Not secure at all, nor is it intended to be. > > The issue is that if the server is to be started automatically without the > need to enter a passphrase, then encryption cannot be used since the server > needs to provide the keystore passwords at runtime. OBF is simply a way > to put the pass phrases into a configuration file so that a casual observer > looking over your shoulder cannot easily remember the configured > passwords. MD5 cannot be used at all in this situation (it is provided > for checking things like BASIC authentication where a credential is sent > over "the wire" but we want to avoid storing such credentials on the > server, so we check the MD5 of the provided credential with the stored MD5). > > BCrypt would not help, as it requires a passphrase. If we put that > passphrase in a config file, then it's just the same problem... how to > protect the passphrase needed to recover the password needed to recover the > private key .... > > Ultimately if a server is to start automatically, without human > intervention, then you need to rely on the OS security to keep a > configuration file secure. > > cheers > > > > > > > > > > On Fri, 16 Jul 2021 at 01:52, John English <john.fore...@gmail.com> wrote: > >> On 15/07/2021 18:27, Joakim Erdfelt wrote: >> > The `MD5:` format Credential / Password is what's known as a 1-way hash >> > (this is not encryption) >> > You can take a password and generate a MD5. >> > Then later, when a password is provided, you can run the hash again and >> > compare the resulting MD5 to know if the password that was provided is >> a >> > match. >> >> Ouch. MD5? Not terribly secure. I prefer BCrypt. >> >> -- >> John English >> _______________________________________________ >> jetty-users mailing list >> jetty-users@eclipse.org >> To unsubscribe from this list, visit >> https://www.eclipse.org/mailman/listinfo/jetty-users >> > > > -- > Greg Wilkins <gr...@webtide.com> CTO http://webtide.com > _______________________________________________ > jetty-users mailing list > jetty-users@eclipse.org > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/jetty-users >
_______________________________________________ jetty-users mailing list jetty-users@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
