[jira] [Commented] (FELIX-5934) The Felix Web Console stores unsalted hashed password

Antonio Sanso (JIRA) Mon, 15 Oct 2018 04:14:16 -0700


    [ 
https://issues.apache.org/jira/browse/FELIX-5934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16650083#comment-16650083
 ]


Antonio Sanso commented on FELIX-5934:
--------------------------------------

[~cziegeler] I attached a proposed patch. I improved the current hashing 
algorithm adding salting and hashing iterations.

> The Felix Web Console stores unsalted hashed password
> -----------------------------------------------------
>
>                 Key: FELIX-5934
>                 URL: https://issues.apache.org/jira/browse/FELIX-5934
>             Project: Felix
>          Issue Type: Bug
>          Components: Web Console
>            Reporter: Antonio Sanso
>            Priority: Major
>         Attachments: FELIX-5934-patch.txt
>
>
> The Felix Web Console currently stores unsalted hashed password [0]
> This violates common security hygiene and industry standard.
> The suggestion is to either add a random salt or use a stronger Password 
> Storage algorithm e.g. *Argon2*  or *PBKDF2*  *.* See [1]
>  
>  
> [0][https://github.com/apache/felix/blob/0bfe4ca7ebc6e81f0a9f4186a7ef58df4d92b4c9/webconsole/src/main/java/org/apache/felix/webconsole/internal/servlet/OsgiManager.java#L167]
> [1] https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (FELIX-5934) The Felix Web Console stores unsalted hashed password

Reply via email to