[
https://issues.apache.org/jira/browse/JSPWIKI-20?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12546125
]
Andrew Jaquith commented on JSPWIKI-20:
---------------------------------------
I should have said, "it raises the workfactor for an attacker by many many
orders of magnitude." The additional /developer/ workfactor is pretty low. :)
> Password hash should be salted
> ------------------------------
>
> Key: JSPWIKI-20
> URL: https://issues.apache.org/jira/browse/JSPWIKI-20
> Project: JSPWiki
> Issue Type: Improvement
> Components: Authentication&Authorization
> Affects Versions: 2.5.139-beta
> Reporter: Janne Jalkanen
> Assignee: Janne Jalkanen
> Attachments: jspwiki-20.patch
>
>
> The password hash is calculated as a direct SHA1-digest of the password.
> Unfortunately this means that it's vulnerable to brute-force attacks - there
> are many web sites which store SHA1 hashes of common passwords. The key
> space in most languages is pretty small... So the password should really be
> properly salted with preferably a long, random string.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
