[
https://issues.apache.org/jira/browse/JSPWIKI-20?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12588313#action_12588313
]
Janne Jalkanen commented on JSPWIKI-20:
---------------------------------------
I don't quite understand how LDAP is supposed to figure out what the salt is -
from the examples it looks like the salt is just simply appended to SSHA, but
there is no indication in how long the salt is. Or am I missing something?
I am also worried about this:
{quote}
Note: use of RFC 2307 Experimental passwords violates the Standard Track
specification, RFC 2256, for user passwords and may lead to interoperability
problems.
{quote}
> Password hash should be salted
> ------------------------------
>
> Key: JSPWIKI-20
> URL: https://issues.apache.org/jira/browse/JSPWIKI-20
> Project: JSPWiki
> Issue Type: Improvement
> Components: Authentication&Authorization
> Affects Versions: 2.5.139-beta
> Reporter: Janne Jalkanen
> Assignee: Janne Jalkanen
> Fix For: 2.8
>
> Attachments: jspwiki-20.patch
>
>
> The password hash is calculated as a direct SHA1-digest of the password.
> Unfortunately this means that it's vulnerable to brute-force attacks - there
> are many web sites which store SHA1 hashes of common passwords. The key
> space in most languages is pretty small... So the password should really be
> properly salted with preferably a long, random string.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
