Hi, Interesting library. The hashed password also contains the salt, so there would be no need to have a salt property on the user.
Bob On Jun 21, 2012 11:18 AM, "Jesse van Bekkum" <[email protected]> wrote: > Just to make you guys aware, have a look at this library jasypt ( > http://www.jasypt.org/). > > It provides all the things mentioned in the articles, such as hashing, > salting and iteration out of the box. > > Jesse van Bekkum > > On Thu, Jun 21, 2012 at 10:54 AM, Francesco Chicchiriccò < > [email protected]> wrote: > > > On 21/06/2012 09:23, Bob Lannoy wrote: > > > >> Hi guys, > >> > >> > >> Some reading material: > >> https://www.owasp.org/index.**php/Hashing_Java< > https://www.owasp.org/index.php/Hashing_Java> > >> http://jerryorr.blogspot.be/**2012/05/secure-password-** > >> storage-lots-of-donts.html< > http://jerryorr.blogspot.be/2012/05/secure-password-storage-lots-of-donts.html > > > >> http://throwingfire.com/**storing-passwords-securely/< > http://throwingfire.com/storing-passwords-securely/> > >> > > > > Nice insight: I'll add this to the roadmap. > > > > > > Another remark, I find it strange that when reading a user object I can > >> get > >> the password. Wouldn't it make more sense to let this inside core? > >> > > > > Don't worry: the password you will get is encrypted with the selected > > algorithm. > > > > Regards. > > > > -- > > Francesco Chicchiriccò > > > > ASF Member, Apache Cocoon PMC and Apache Syncope PPMC Member > > http://people.apache.org/~**ilgrosso/< > http://people.apache.org/~ilgrosso/> > > > > >
