[
https://issues.apache.org/jira/browse/SYNCOPE-100?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Francesco Chicchiriccò updated SYNCOPE-100:
-------------------------------------------
Description:
It would be best to add other password mechanisms that include salting and
stretching of passwords (see links).
This would mean that an extra attribute has to be added to the user (salt)
which can be used for that purpose.
You would be able to keep the old ones for backward compatibility and include
new ones which are a lot safer. Apparently PBKDF2 is considered a secure
mechanism.
Some reading material:
https://www.owasp.org/index.php/Hashing_Java
http://jerryorr.blogspot.be/2012/05/secure-password-storage-lots-of-donts.html
http://throwingfire.com/storing-passwords-securely/
Jasypt (http://www.jasypt.org/) provides all the things mentioned in the
articles, such as hashing,
salting and iteration out of the box, and is also AL 2.0 licensed.
was:
It would be best to add other password mechanisms that include salting and
stretching of passwords (see links).
This would mean that an extra attribute has to be added to the user (salt)
which can be used for that purpose.
You would be able to keep the old ones for backward compatibility and include
new ones which are a lot safer. Apparently PBKDF2 is considered a secure
mechanism.
Some reading material:
https://www.owasp.org/index.php/Hashing_Java
http://jerryorr.blogspot.be/2012/05/secure-password-storage-lots-of-donts.html
http://throwingfire.com/storing-passwords-securely/
> Add more password encryption options
> ------------------------------------
>
> Key: SYNCOPE-100
> URL: https://issues.apache.org/jira/browse/SYNCOPE-100
> Project: Syncope
> Issue Type: Improvement
> Reporter: Francesco Chicchiriccò
> Labels: security
>
> It would be best to add other password mechanisms that include salting and
> stretching of passwords (see links).
> This would mean that an extra attribute has to be added to the user (salt)
> which can be used for that purpose.
> You would be able to keep the old ones for backward compatibility and include
> new ones which are a lot safer. Apparently PBKDF2 is considered a secure
> mechanism.
> Some reading material:
> https://www.owasp.org/index.php/Hashing_Java
> http://jerryorr.blogspot.be/2012/05/secure-password-storage-lots-of-donts.html
> http://throwingfire.com/storing-passwords-securely/
> Jasypt (http://www.jasypt.org/) provides all the things mentioned in the
> articles, such as hashing,
> salting and iteration out of the box, and is also AL 2.0 licensed.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
