>-----Original Message----- >From: Marlon Pierce [mailto:[email protected]] >Sent: Thursday, August 04, 2011 4:53 PM >To: [email protected] >Subject: [discuss] hashing, salting, and initial_data.sql > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >I'm looking at hashing and salting passwords stored in Rave's database. This >works fine for new user accounts, but the demo accounts (canonical, >john.doe, etc) are a problem because they are inserted directly into the DB by >DataSourcePopulator.java by reading initial_data.sql. It would be possible to >grok the "@user_id_" lines from initial_data.sql and hash the passwords there >in SqlFileParser.java before inserting in the DB, but this would be an ugly and >fragile hack. > > >Other suggestions? Should we populate the database of demo users through >JPA instead of inserting directly via SQL commands?
Is there some reason you can't salt and hash the passwords for the demo accounts manually and then insert the pre-salted/hashed values directly into the initial_data.sql file (with a comment block explaining what's being done and what the actual passwords are)? Admittedly not the most elegant solution, but seems good enough for what we need to do. > >Marlon >-----BEGIN PGP SIGNATURE----- >Version: GnuPG/MacGPG2 v2.0.16 (Darwin) >Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > >iQEcBAEBAgAGBQJOOwatAAoJEEfVXEODPFIDwLsH/iH9J4zxEsPsuRigckvkAual >BmhJqpzZtB6KCJ5DnzwwQqTRsbJ5QoO8hlwLyTzNTZMkbU6zhsn6P33Wxh41 >WkEq >hLe9ufvbUPjFsquK+1l5gYIiuDt0nW7S2C6qstycJ9ReA2QaYn4iz+7O7w73DwYx >h6FxB3lM7vVXfdX9zVpBR2TPirBCjuDKJk0m7kGgspYqZ58cUZqlv08EniPhab7N >+Qj793UVxogpqJ1PyoFwr4Q/oyYdGOHIUDu4WhkxIPXC6fzr4BL3LuCb3NmNcC >Bi >puCQGR4sQ0r4VVfJke1U3umTN/0DGV65Ya89HyBFdhr87engTD/laCPdEEKU3N >4= >=Mj94 >-----END PGP SIGNATURE-----
