[
https://issues.apache.org/jira/browse/JSPWIKI-20?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12546141
]
Janne Jalkanen commented on JSPWIKI-20:
---------------------------------------
The reason why I wanted to use the comma is because it would allow changing the
salt length transparently (and is more future-proof anyway).
We could easily add a "do not salt the password upon save" -feature in case the
passwords are shared with container. To which property we should bind it?
> Password hash should be salted
> ------------------------------
>
> Key: JSPWIKI-20
> URL: https://issues.apache.org/jira/browse/JSPWIKI-20
> Project: JSPWiki
> Issue Type: Improvement
> Components: Authentication&Authorization
> Affects Versions: 2.5.139-beta
> Reporter: Janne Jalkanen
> Assignee: Janne Jalkanen
> Fix For: 2.8
>
> Attachments: jspwiki-20.patch
>
>
> The password hash is calculated as a direct SHA1-digest of the password.
> Unfortunately this means that it's vulnerable to brute-force attacks - there
> are many web sites which store SHA1 hashes of common passwords. The key
> space in most languages is pretty small... So the password should really be
> properly salted with preferably a long, random string.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
