[ https://issues.apache.org/jira/browse/FELIX-5934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16685048#comment-16685048 ]
Carsten Ziegeler commented on FELIX-5934: ----------------------------------------- [~asanso] Different ticket sounds good to me, thanks > The Felix Web Console stores unsalted hashed password > ----------------------------------------------------- > > Key: FELIX-5934 > URL: https://issues.apache.org/jira/browse/FELIX-5934 > Project: Felix > Issue Type: Bug > Components: Web Console > Reporter: Antonio Sanso > Assignee: Carsten Ziegeler > Priority: Major > Fix For: webconsole-4.3.10 > > Attachments: FELIX-5934-patch.txt > > > The Felix Web Console currently stores unsalted hashed password [0] > This violates common security hygiene and industry standard. > The suggestion is to either add a random salt or use a stronger Password > Storage algorithm e.g. *Argon2* or *PBKDF2* *.* See [1] > > > [0][https://github.com/apache/felix/blob/0bfe4ca7ebc6e81f0a9f4186a7ef58df4d92b4c9/webconsole/src/main/java/org/apache/felix/webconsole/internal/servlet/OsgiManager.java#L167] > [1] https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet -- This message was sent by Atlassian JIRA (v7.6.3#76005)