On 12/06/2011 20:29, Pid wrote: > On 12/06/2011 17:12, Petr Hracek wrote: >> And what about in case that I have my own program for accessing to the >> specific >> databases where the passwords are stored as hashes? >> >> Are there any possibilities how to run that program for getting unhashed >> password from database? > > Why not hash the inbound password, then send & compare it against the > one in the DB, rather than decoding it? > > The Realm implementations can handle this, if you're using a standard > hashing method that Java recognises. > > Hopefully you've not invented your own hashing method.
Hmm. Hash functions are meant to be one way. It should be impossible to retrieve an unhashed password from the database. I hope that the original description is inaccurate rather than an example of (yet another) badly broken home-grown security solution that needs to be thrown away. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
