Christopher Tubbs created ACCUMULO-4044:
-------------------------------------------
Summary: Stronger/standardized password hashing
Key: ACCUMULO-4044
URL: https://issues.apache.org/jira/browse/ACCUMULO-4044
Project: Accumulo
Issue Type: Improvement
Reporter: Christopher Tubbs
Fix For: 1.8.0
Currently, Accumulo stores hashed passwords using SHA-256 and an 8-byte salt,
in a custom output format.
Instead, we should switch to using commons-codec's Crypt class to create
crypt(3) style hashes, the default of which is to use SHA-512 with a 16-byte
salt. The format is stored in a standard way, with an identifier to determine
the hashing method which was used.
We'd have to make sure that we can tell the difference between the new format
and the old format, so we know how to properly verify user credentials. This
would be easy if we stored the new form in a different zookeeper node, but we
could also use a delimiter (not a fan of the delimiter, personally, because I'd
prefer the standard format, unmodified). We might be able to automatically
migrate to the new format upon authentication, so we can eventually drop the
old format entirely*.
* When we do eventually drop the old format, users will need to reset their
passwords, or have an admin user do it for them. This shouldn't be a big issue
if we wait a sufficient number of releases to drop the old format.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
