You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@syncope.apache.org by "Bob Lannoy (JIRA)" <ji...@apache.org> on 2012/07/04 10:43:35 UTC

[jira] [Updated] (SYNCOPE-100) Add more password encryption options

     [ https://issues.apache.org/jira/browse/SYNCOPE-100?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Bob Lannoy updated SYNCOPE-100:
-------------------------------

    Attachment: passwordhash.patch

Backwards compatiple patch to allow
- salted versions of current password algorithms
- additional algorithm: Bcrypt

Uses Jasypt for salted versions and Spring for Bcrypt.
Jasypt also has the possibility to create LDAP-compatible passwords but this was not implemented.

Admin passwords can also be hashed with algorithm of choice.
CLI-class to facilitate generation of admin hash.
                
> Add more password encryption options
> ------------------------------------
>
>                 Key: SYNCOPE-100
>                 URL: https://issues.apache.org/jira/browse/SYNCOPE-100
>             Project: Syncope
>          Issue Type: Improvement
>            Reporter: Francesco Chicchiriccò
>              Labels: security
>         Attachments: passwordhash.patch
>
>
> It would be best to add other password mechanisms that include salting and stretching of passwords (see links).
> This would mean that an extra attribute has to be added to the user (salt) which can be used for that purpose.
> You would be able to keep the old ones for backward compatibility and include new ones which are a lot safer. Apparently PBKDF2 is considered a secure mechanism.
> Some reading material:
> https://www.owasp.org/index.php/Hashing_Java
> http://jerryorr.blogspot.be/2012/05/secure-password-storage-lots-of-donts.html
> http://throwingfire.com/storing-passwords-securely/
> Jasypt (http://www.jasypt.org/) provides all the things mentioned in the articles, such as hashing,
> salting and iteration out of the box, and is also AL 2.0 licensed.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira