Actually we surely implement SSL but we also want our password be saved in hashed form using SHA variants or some other algorithm whatever we like to use rather than using dspace default hashing algorithm.
Thanks & Regards -----Original Message----- From: ivan.ma...@gmail.com [mailto:ivan.ma...@gmail.com] On Behalf Of helix84 Sent: Thursday, November 01, 2012 3:34 PM To: Umair Kayani Cc: dspace-tech@lists.sourceforge.net Subject: Re: [Dspace-tech] Application Security details of dspace 1.8.2 On Thu, Nov 1, 2012 at 9:24 AM, Umair Kayani <ukay...@niftetrust.com> wrote: > Helix, Using SSL was our backup plan. DSpace keeps the hash of the password > in database so I was wondering at what servlet this change occur. If request > is going with clear password then it must be converting it to match with > database password of the user for authentication. I need to know that code > file or method for my understanding at least. Though I checked > AuthenticationManager, AuthenticationMethod and eperson code files and found > nothing there except a hashcode method in eperson code file. Can anyone > confirm if this is the one which dspace uses to convert plain text password > to hashcode and then match that hashcode with database hashcode. As I said, I don't want to give bad security advice, but João already spilled the beans. If you have to do it, at least do it right! Here's the change that added salted hashes, so it touches all the places that deal with hashes: https://github.com/DSpace/DSpace/pull/41/files So now that you're going to do hashing in Javascript, be aware that: 1) Logging in without Javascript enabled will not work. 2) The hash and salt will be transferred in plain text, so weak passwords can be brute-forced if this information is sniffed. Make sure to not allow users to set weak passwords, there surely are JS libraries for that. You didn't answer my question, why not use HTTPS in the first place? Regards, ~~helix84 Compulsory reading: DSpace Mailing List Etiquette https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct _______________________________________________ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech
