Karsten Otto created JAMES-3674:
-----------------------------------
Summary: Support password salting and hash scheme upgrading
Key: JAMES-3674
URL: https://issues.apache.org/jira/browse/JAMES-3674
Project: James Server
Issue Type: Improvement
Components: UsersStore & UsersRepository
Affects Versions: master
Reporter: Karsten Otto
Currently, James does not use salt during password hashing, so its password
database is vulnerable to rainbow table cracking if someone ever manages to
steal it. Furthermore, there is no mechanism to upgrade user passwords to
stronger/different hashing once they are created (cf. legacy hashing mode).
This is a problem for any installation that does not employ an external LDAP
user database.
A simple solution is to include the user name as salt in the password hash. For
this purpose, the {{hashingMode}} choices in {{usersrepository.xml}} should
include an new mode "salted" in addition to "legacy" and "default".
Additionally, the database should include an explicit column in the user table,
which specifies the {{hashingMode}} of the stored password, and is used during
verification. However, when a user changes the password, the configured
{{algorithm}} and {{hashingMode}} from {{usersrepository.xml}} will be used
instead. This way, the database gradually upgrades over time to the preferred
setting.
T-Shirt size L.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
