On 14/07/2017 11:54, Colm O hEigeartaigh wrote:
OK thanks. Well I'd say that "SSHA256" would be best, WDYT?
BTW I'm a bit dubious about "SECRET_KEY = DEFAULT_SECRET_KEY;" in
Encryptor. If SECRET_KEY is null we should probably throw an exception...
We recently took a different approach for default admin password,
default JWS key, etc
https://issues.apache.org/jira/browse/SYNCOPE-1119
No?
On Fri, Jul 14, 2017 at 10:48 AM, Francesco Chicchiriccò <ilgro...@apache.org>
wrote:
On 14/07/2017 11:45, Colm O hEigeartaigh wrote:
How does the salt configuration work for "SSHA256"? Is it stored in
security.properties?
Password values are encrypted by
https://github.com/apache/syncope/blob/master/core/spring/
src/main/java/org/apache/syncope/core/spring/security/Encryptor.java
with configuration from security.properties
Regards.
On Fri, Jul 14, 2017 at 10:41 AM, Francesco Chicchiriccò <
ilgro...@apache.org> wrote:
On 14/07/2017 11:40, Colm O hEigeartaigh wrote:
I guess SHA-256 would be a straightforward replacement. Maybe we should
instead move to a salted hash though?
Well, just set your preference among
https://github.com/apache/syncope/blob/master/common/lib/
src/main/java/org/apache/syncope/common/lib/types/CipherAlgorithm.java
:-)
Regards.
On Fri, Jul 14, 2017 at 9:52 AM, Francesco Chicchiriccò <
ilgro...@apache.org> wrote:
On 14/07/2017 10:48, Colm O hEigeartaigh wrote:
Should we change the default password algorithm from SHA1 for 2.1.0?
It's
probably time to migrate from SHA1 IMO.
Makes sense.
The only problem I could see if when pulling hashed password values
from
LDAP, where SHA1 is still quite common. Not a big deal, anyway.
Which algorithm do you propose?
Regards.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/