[
https://issues.apache.org/jira/browse/ACCUMULO-4044?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Christopher Tubbs resolved ACCUMULO-4044.
-----------------------------------------
Resolution: Duplicate
Closing as duplicate of https://github.com/apache/accumulo/issues/1788
> Stronger/standardized password hashing
> --------------------------------------
>
> Key: ACCUMULO-4044
> URL: https://issues.apache.org/jira/browse/ACCUMULO-4044
> Project: Accumulo
> Issue Type: Improvement
> Reporter: Christopher Tubbs
> Priority: Major
>
> Currently, Accumulo stores hashed passwords using SHA-256 and an 8-byte salt,
> in a custom output format.
> Instead, we should switch to using commons-codec's Crypt class to create
> crypt(3) style hashes, the default of which is to use SHA-512 with a 16-byte
> salt. The format is stored in a standard way, with an identifier to determine
> the hashing method which was used.
> We'd have to make sure that we can tell the difference between the new format
> and the old format, so we know how to properly verify user credentials. This
> would be easy if we stored the new form in a different zookeeper node, but we
> could also use a delimiter (not a fan of the delimiter, personally, because
> I'd prefer the standard format, unmodified). We might be able to
> automatically migrate to the new format upon authentication, so we can
> eventually drop the old format entirely++.
> ++ When we do eventually drop the old format, users will need to reset their
> passwords, or have an admin user do it for them. This shouldn't be a big
> issue if we wait a sufficient number of releases to drop the old format.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
