[
https://issues.apache.org/jira/browse/JSPWIKI-20?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12587279#action_12587279
]
Janne Jalkanen commented on JSPWIKI-20:
---------------------------------------
So, what shall we do with this?
> Password hash should be salted
> ------------------------------
>
> Key: JSPWIKI-20
> URL: https://issues.apache.org/jira/browse/JSPWIKI-20
> Project: JSPWiki
> Issue Type: Improvement
> Components: Authentication&Authorization
> Affects Versions: 2.5.139-beta
> Reporter: Janne Jalkanen
> Assignee: Janne Jalkanen
> Fix For: 2.8
>
> Attachments: jspwiki-20.patch
>
>
> The password hash is calculated as a direct SHA1-digest of the password.
> Unfortunately this means that it's vulnerable to brute-force attacks - there
> are many web sites which store SHA1 hashes of common passwords. The key
> space in most languages is pretty small... So the password should really be
> properly salted with preferably a long, random string.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
