[jira] [Commented] (JAMES-3674) Support password salting and hash scheme upgrading

Mon, 22 Nov 2021 01:14:06 -0800 


    [ 
https://issues.apache.org/jira/browse/JAMES-3674?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17447261#comment-17447261
 ] 

Ioan Eugen Stan commented on JAMES-3674:
----------------------------------------

+1 for doing things right the first time and for stronger crypto. 

I don't care what or if any crypto lib is used. 

Using no crypto lib is preferale if code is simple enough.

> Support password salting and hash scheme upgrading
> --------------------------------------------------
>
>                 Key: JAMES-3674
>                 URL: https://issues.apache.org/jira/browse/JAMES-3674
>             Project: James Server
>          Issue Type: Improvement
>          Components: UsersStore & UsersRepository
>    Affects Versions: master
>            Reporter: Karsten Otto
>            Priority: Major
>          Time Spent: 5h 40m
>  Remaining Estimate: 0h
>
> Currently, James does not use salt during password hashing, so its password 
> database is vulnerable to rainbow table cracking if someone ever manages to 
> steal it. Furthermore, there is no mechanism to upgrade user passwords to 
> stronger/different hashing once they are created (cf. legacy hashing mode). 
> This is a problem for any installation that does not employ an external LDAP 
> user database.
> A simple solution is to include the user name as salt in the password hash. 
> For this purpose, the {{hashingMode}} choices in {{usersrepository.xml}} 
> should include an new mode "salted" in addition to "legacy" and "default".
> Additionally, the database should include an explicit column in the user 
> table, which specifies the {{hashingMode}} of the stored password, and is 
> used during verification. However, when a user changes the password,  the 
> configured {{algorithm}} and {{hashingMode}} from {{usersrepository.xml}} 
> will be used instead. This way, the database gradually upgrades over time to 
> the preferred setting.
> T-Shirt size L.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to