Hello Joakin, John and Greg, Thanks a lot for your prompt reply, this has helped me a great deal. I will go ahead with using the OBF format in my configurations.
Thanks, Smita On Fri, Jul 16, 2021 at 2:55 AM Greg Wilkins <[email protected]> wrote: > > John, > > Not secure at all, nor is it intended to be. > > The issue is that if the server is to be started automatically without the > need to enter a passphrase, then encryption cannot be used since the server > needs to provide the keystore passwords at runtime. OBF is simply a way > to put the pass phrases into a configuration file so that a casual observer > looking over your shoulder cannot easily remember the configured > passwords. MD5 cannot be used at all in this situation (it is provided > for checking things like BASIC authentication where a credential is sent > over "the wire" but we want to avoid storing such credentials on the > server, so we check the MD5 of the provided credential with the stored MD5). > > BCrypt would not help, as it requires a passphrase. If we put that > passphrase in a config file, then it's just the same problem... how to > protect the passphrase needed to recover the password needed to recover the > private key .... > > Ultimately if a server is to start automatically, without human > intervention, then you need to rely on the OS security to keep a > configuration file secure. > > cheers > > > > > > > > > > On Fri, 16 Jul 2021 at 01:52, John English <[email protected]> wrote: > >> On 15/07/2021 18:27, Joakim Erdfelt wrote: >> > The `MD5:` format Credential / Password is what's known as a 1-way hash >> > (this is not encryption) >> > You can take a password and generate a MD5. >> > Then later, when a password is provided, you can run the hash again and >> > compare the resulting MD5 to know if the password that was provided is >> a >> > match. >> >> Ouch. MD5? Not terribly secure. I prefer BCrypt. >> >> -- >> John English >> _______________________________________________ >> jetty-users mailing list >> [email protected] >> To unsubscribe from this list, visit >> https://www.eclipse.org/mailman/listinfo/jetty-users >> > > > -- > Greg Wilkins <[email protected]> CTO http://webtide.com > _______________________________________________ > jetty-users mailing list > [email protected] > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/jetty-users >
_______________________________________________ jetty-users mailing list [email protected] To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
