Hi, I've invested some time in adapting the password storage mechanism in Syncope. With what I did it's now possible to have salted & stretched passwords with the algorithms already supported, using the Jasypt lib and also another algorithm called BCrypt (present in Spring Crypto). Although there are also password digest algorithms in Spring I opted to use Jasypt. Jasypt also does LDAP style password hashing which could be interesting if people want to sync passwords with an LDAP. However I didn't add this algorithm for the moment.
The old algorithms are still supported. Additionally I added the possiblity to do the same for the admin user. This means a change in SecurityContext & security.properties for those who want to benefit from this, but it's still backwards compatible. Do I add all my stuff as a patch in Jira to the password ticket (Apache jira down?) so someone can review what I did? best regards Bob
