[jira] [Commented] (JAMES-3674) Support password salting and hash scheme upgrading

Thu, 02 Dec 2021 23:21:35 -0800 


    [ 
https://issues.apache.org/jira/browse/JAMES-3674?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17452790#comment-17452790
 ] 

Benoit Tellier commented on JAMES-3674:
---------------------------------------

https://github.com/linagora/james-project-private/issues/280 provides PBKDF2 
hashing (based on username)

> bcrypt and friends usually encode all necessary parameters in the password 
> field itself

brcrypt do not have a default implementation in Java and I am reluctant to add 
a dependency.

> Support password salting and hash scheme upgrading
> --------------------------------------------------
>
>                 Key: JAMES-3674
>                 URL: https://issues.apache.org/jira/browse/JAMES-3674
>             Project: James Server
>          Issue Type: Improvement
>          Components: UsersStore & UsersRepository
>    Affects Versions: master
>            Reporter: Karsten Otto
>            Priority: Major
>          Time Spent: 7h 10m
>  Remaining Estimate: 0h
>
> Currently, James does not use salt during password hashing, so its password 
> database is vulnerable to rainbow table cracking if someone ever manages to 
> steal it. Furthermore, there is no mechanism to upgrade user passwords to 
> stronger/different hashing once they are created (cf. legacy hashing mode). 
> This is a problem for any installation that does not employ an external LDAP 
> user database.
> A simple solution is to include the user name as salt in the password hash. 
> For this purpose, the {{hashingMode}} choices in {{usersrepository.xml}} 
> should include an new mode "salted" in addition to "legacy" and "default".
> Additionally, the database should include an explicit column in the user 
> table, which specifies the {{hashingMode}} of the stored password, and is 
> used during verification. However, when a user changes the password,  the 
> configured {{algorithm}} and {{hashingMode}} from {{usersrepository.xml}} 
> will be used instead. This way, the database gradually upgrades over time to 
> the preferred setting.
> T-Shirt size L.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org

Reply via email to