milleruntime opened a new issue #1788: URL: https://github.com/apache/accumulo/issues/1788
Updating the password hash to use something stronger than SHA-256 is problematic for existing users. Expanding on the technique described on this JIRA issue: https://issues.apache.org/jira/browse/ACCUMULO-4044 Ideally, we would have a utility (maybe something similar to [ChangeSecret](https://github.com/apache/accumulo/blob/f88cb3bcebb744d7d1f3150877243c756d717ddb/server/base/src/main/java/org/apache/accumulo/server/util/ChangeSecret.java#L53) ) which would allow an admin to update all passwords with a different hash, storing the algorithm with the password as the JIRA ticket describes. This would give users the most flexibility to chose a hash for their passwords. Accumulo would then be modified to check for this new type of password first, falling back to the legacy hash. This could then be used again in future releases for even stronger hashes. An alternative approach would be to update the hardcoded hash in the next version, updating all the password on upgrade. This is less flexible for the users but improves security with a stronger hash. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
