[
https://issues.apache.org/jira/browse/JSPWIKI-20?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12546123
]
Andrew Jaquith commented on JSPWIKI-20:
---------------------------------------
128 bits ought to be plenty... it raises the workfactor by many many orders of
magnitude. It's not overkill, because the extra time needed to generate the
longer salt doesn't really cost us more than a few milliseconds.
Your patch, coincidentally, appears to be pretty similar to what was proposed
for WordPress:
http://trac.wordpress.org/attachment/ticket/2394/2394-phpass.patch
Three comments on the patch itself:
1) We ought to modify the validatePassword() function so that the user's hash
is automatically upgraded to the salted version at the time of password check,
rather than just at password save/update time. That would allow for a nice,
easy, transparent migration.
2) It seems pretty common-place, based on the WordPress example and some other
examples I've seen, simply to prepend the salt to the password hash rather than
delimit it with a comma.
3) Salting the hash will absolutely break the "share logins with the container"
feature, which has been around since ~2.3,60 I think. I'm not wedded to that
feature, but it is kind of nice to have. (I may be the only person who uses
it...)
Reason #3, in particular suggests that it might be better to wait on fixing
this until 2.8. That way, we could deprecate the "share logins with container
feature" NOW (in 2.6) and remove it entirely in 2.8.
> Password hash should be salted
> ------------------------------
>
> Key: JSPWIKI-20
> URL: https://issues.apache.org/jira/browse/JSPWIKI-20
> Project: JSPWiki
> Issue Type: Improvement
> Components: Authentication&Authorization
> Affects Versions: 2.5.139-beta
> Reporter: Janne Jalkanen
> Assignee: Janne Jalkanen
> Attachments: jspwiki-20.patch
>
>
> The password hash is calculated as a direct SHA1-digest of the password.
> Unfortunately this means that it's vulnerable to brute-force attacks - there
> are many web sites which store SHA1 hashes of common passwords. The key
> space in most languages is pretty small... So the password should really be
> properly salted with preferably a long, random string.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
