I don't know jasypt, so I can't make guarantees (actually, nobody can, but you know what I mean). However, there are two good signs:
1) The API is specifically for password checking. This is a lot better than using a generic hasher and doing the salting yourself. The authors of the library had password hashing in mind when they wrote it. If they did their job right, it should be good for password hashing. 2) The API call is checkPassword(thePassword, theHash). This is the 'right' form of such a library. Contrast to e.g. hash(thePassword).equals(theHashFromTheDB), which is the -wrong- form (because there's no salt in that mix at all), or even hash(saltFromDB +thePassword).equals(hashFromDB), which is probably okay, but requires more acts on behalf of the library user, including generating a cryptographically secure salt somehow. So, that very shallow review says: It's all good. But no guarantees on the jasypt author's security chops. On Sep 19, 12:27 pm, Ed <[EMAIL PROTECTED]> wrote: > Like Rob mentioned, always interesting to read Reinier's post :)... > > > B) BCrypt (and you should use BCrypt, or you Fail Security. Seriously. > > Don't think about it, you failed the test. Use tools written by the > > experts) - is a better take on a technique called 'salt hashing', > > I noticed you mentioned this a few times before in this forum. > The tool I use:http://www.jasypt.org/. I hope this is written by > experts as well :( > > -- Ed --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
