You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@syncope.apache.org by "Francesco Chicchiriccò (JIRA)" <ji...@apache.org> on 2012/06/21 10:59:43 UTC
[jira] [Created] (SYNCOPE-100) Add more password encryption options
Francesco Chicchiriccò created SYNCOPE-100:
----------------------------------------------
Summary: Add more password encryption options
Key: SYNCOPE-100
URL: https://issues.apache.org/jira/browse/SYNCOPE-100
Project: Syncope
Issue Type: Improvement
Reporter: Francesco Chicchiriccò
It would be best to add other password mechanisms that include salting and stretching of passwords (see links).
This would mean that an extra attribute has to be added to the user (salt) which can be used for that purpose.
You would be able to keep the old ones for backward compatibility and include new ones which are a lot safer. Apparently PBKDF2 is considered a secure mechanism.
Some reading material:
https://www.owasp.org/index.php/Hashing_Java
http://jerryorr.blogspot.be/2012/05/secure-password-storage-lots-of-donts.html
http://throwingfire.com/storing-passwords-securely/
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SYNCOPE-100) Add more password encryption
options
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SYNCOPE-100?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13447201#comment-13447201 ]
Hudson commented on SYNCOPE-100:
--------------------------------
Integrated in Syncope-linux #264 (See [https://builds.apache.org/job/Syncope-linux/264/])
Fixes issue SYNCOPE-51 and SYNCOPE-100 special thanks to Bob and Massimiliano (Revision 1380190)
Result = SUCCESS
fmartelli :
Files :
* /incubator/syncope/trunk/archetype/src/main/resources/archetype-resources/core/src/main/resources
* /incubator/syncope/trunk/archetype/src/main/resources/archetype-resources/core/src/main/resources/security.properties
* /incubator/syncope/trunk/archetype/src/main/resources/archetype-resources/core/src/test/resources/security.properties
* /incubator/syncope/trunk/client/src/main/java/org/apache/syncope/types/CipherAlgorithm.java
* /incubator/syncope/trunk/core/pom.xml
* /incubator/syncope/trunk/core/src/main/java/org/apache/syncope/core/persistence/beans/user/SyncopeUser.java
* /incubator/syncope/trunk/core/src/main/java/org/apache/syncope/core/rest/data/UserDataBinder.java
* /incubator/syncope/trunk/core/src/main/java/org/apache/syncope/core/security/EncodePasswordCLI.java
* /incubator/syncope/trunk/core/src/main/java/org/apache/syncope/core/security/PasswordEncoder.java
* /incubator/syncope/trunk/core/src/main/java/org/apache/syncope/core/security/SyncopeAuthenticationProvider.java
* /incubator/syncope/trunk/core/src/main/java/org/apache/syncope/core/workflow/NoOpUserWorkflowAdapter.java
* /incubator/syncope/trunk/core/src/main/resources/content.xml
* /incubator/syncope/trunk/core/src/main/resources/security.properties
* /incubator/syncope/trunk/core/src/main/resources/securityContext.xml
* /incubator/syncope/trunk/core/src/test/java/org/apache/syncope/core/rest/UserTestITCase.java
* /incubator/syncope/trunk/core/src/test/java/org/apache/syncope/core/security
* /incubator/syncope/trunk/core/src/test/java/org/apache/syncope/core/security/PasswordEncoderTest.java
* /incubator/syncope/trunk/core/src/test/resources/content.xml
* /incubator/syncope/trunk/core/src/test/resources/security.properties
* /incubator/syncope/trunk/pom.xml
> Add more password encryption options
> ------------------------------------
>
> Key: SYNCOPE-100
> URL: https://issues.apache.org/jira/browse/SYNCOPE-100
> Project: Syncope
> Issue Type: Improvement
> Reporter: Francesco Chicchiriccò
> Assignee: fabio martelli
> Labels: security
> Fix For: 1.1.0-incubating
>
> Attachments: passwordhash.patch
>
>
> It would be best to add other password mechanisms that include salting and stretching of passwords (see links).
> This would mean that an extra attribute has to be added to the user (salt) which can be used for that purpose.
> You would be able to keep the old ones for backward compatibility and include new ones which are a lot safer. Apparently PBKDF2 is considered a secure mechanism.
> Some reading material:
> https://www.owasp.org/index.php/Hashing_Java
> http://jerryorr.blogspot.be/2012/05/secure-password-storage-lots-of-donts.html
> http://throwingfire.com/storing-passwords-securely/
> Jasypt (http://www.jasypt.org/) provides all the things mentioned in the articles, such as hashing,
> salting and iteration out of the box, and is also AL 2.0 licensed.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (SYNCOPE-100) Add more password encryption
options
Posted by "fabio martelli (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SYNCOPE-100?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
fabio martelli resolved SYNCOPE-100.
------------------------------------
Resolution: Fixed
Assignee: fabio martelli
Merged with SYNCOPE-51 and applied.
> Add more password encryption options
> ------------------------------------
>
> Key: SYNCOPE-100
> URL: https://issues.apache.org/jira/browse/SYNCOPE-100
> Project: Syncope
> Issue Type: Improvement
> Reporter: Francesco Chicchiriccò
> Assignee: fabio martelli
> Labels: security
> Fix For: 1.1.0-incubating
>
> Attachments: passwordhash.patch
>
>
> It would be best to add other password mechanisms that include salting and stretching of passwords (see links).
> This would mean that an extra attribute has to be added to the user (salt) which can be used for that purpose.
> You would be able to keep the old ones for backward compatibility and include new ones which are a lot safer. Apparently PBKDF2 is considered a secure mechanism.
> Some reading material:
> https://www.owasp.org/index.php/Hashing_Java
> http://jerryorr.blogspot.be/2012/05/secure-password-storage-lots-of-donts.html
> http://throwingfire.com/storing-passwords-securely/
> Jasypt (http://www.jasypt.org/) provides all the things mentioned in the articles, such as hashing,
> salting and iteration out of the box, and is also AL 2.0 licensed.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (SYNCOPE-100) Add more password encryption options
Posted by "Bob Lannoy (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SYNCOPE-100?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Bob Lannoy updated SYNCOPE-100:
-------------------------------
Attachment: passwordhash.patch
Backwards compatiple patch to allow
- salted versions of current password algorithms
- additional algorithm: Bcrypt
Uses Jasypt for salted versions and Spring for Bcrypt.
Jasypt also has the possibility to create LDAP-compatible passwords but this was not implemented.
Admin passwords can also be hashed with algorithm of choice.
CLI-class to facilitate generation of admin hash.
> Add more password encryption options
> ------------------------------------
>
> Key: SYNCOPE-100
> URL: https://issues.apache.org/jira/browse/SYNCOPE-100
> Project: Syncope
> Issue Type: Improvement
> Reporter: Francesco Chicchiriccò
> Labels: security
> Attachments: passwordhash.patch
>
>
> It would be best to add other password mechanisms that include salting and stretching of passwords (see links).
> This would mean that an extra attribute has to be added to the user (salt) which can be used for that purpose.
> You would be able to keep the old ones for backward compatibility and include new ones which are a lot safer. Apparently PBKDF2 is considered a secure mechanism.
> Some reading material:
> https://www.owasp.org/index.php/Hashing_Java
> http://jerryorr.blogspot.be/2012/05/secure-password-storage-lots-of-donts.html
> http://throwingfire.com/storing-passwords-securely/
> Jasypt (http://www.jasypt.org/) provides all the things mentioned in the articles, such as hashing,
> salting and iteration out of the box, and is also AL 2.0 licensed.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (SYNCOPE-100) Add more password encryption options
Posted by "Francesco Chicchiriccò (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SYNCOPE-100?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Francesco Chicchiriccò updated SYNCOPE-100:
-------------------------------------------
Fix Version/s: 1.1.0-incubating
> Add more password encryption options
> ------------------------------------
>
> Key: SYNCOPE-100
> URL: https://issues.apache.org/jira/browse/SYNCOPE-100
> Project: Syncope
> Issue Type: Improvement
> Reporter: Francesco Chicchiriccò
> Labels: security
> Fix For: 1.1.0-incubating
>
> Attachments: passwordhash.patch
>
>
> It would be best to add other password mechanisms that include salting and stretching of passwords (see links).
> This would mean that an extra attribute has to be added to the user (salt) which can be used for that purpose.
> You would be able to keep the old ones for backward compatibility and include new ones which are a lot safer. Apparently PBKDF2 is considered a secure mechanism.
> Some reading material:
> https://www.owasp.org/index.php/Hashing_Java
> http://jerryorr.blogspot.be/2012/05/secure-password-storage-lots-of-donts.html
> http://throwingfire.com/storing-passwords-securely/
> Jasypt (http://www.jasypt.org/) provides all the things mentioned in the articles, such as hashing,
> salting and iteration out of the box, and is also AL 2.0 licensed.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (SYNCOPE-100) Add more password encryption options
Posted by "Francesco Chicchiriccò (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SYNCOPE-100?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Francesco Chicchiriccò updated SYNCOPE-100:
-------------------------------------------
Description:
It would be best to add other password mechanisms that include salting and stretching of passwords (see links).
This would mean that an extra attribute has to be added to the user (salt) which can be used for that purpose.
You would be able to keep the old ones for backward compatibility and include new ones which are a lot safer. Apparently PBKDF2 is considered a secure mechanism.
Some reading material:
https://www.owasp.org/index.php/Hashing_Java
http://jerryorr.blogspot.be/2012/05/secure-password-storage-lots-of-donts.html
http://throwingfire.com/storing-passwords-securely/
Jasypt (http://www.jasypt.org/) provides all the things mentioned in the articles, such as hashing,
salting and iteration out of the box, and is also AL 2.0 licensed.
was:
It would be best to add other password mechanisms that include salting and stretching of passwords (see links).
This would mean that an extra attribute has to be added to the user (salt) which can be used for that purpose.
You would be able to keep the old ones for backward compatibility and include new ones which are a lot safer. Apparently PBKDF2 is considered a secure mechanism.
Some reading material:
https://www.owasp.org/index.php/Hashing_Java
http://jerryorr.blogspot.be/2012/05/secure-password-storage-lots-of-donts.html
http://throwingfire.com/storing-passwords-securely/
> Add more password encryption options
> ------------------------------------
>
> Key: SYNCOPE-100
> URL: https://issues.apache.org/jira/browse/SYNCOPE-100
> Project: Syncope
> Issue Type: Improvement
> Reporter: Francesco Chicchiriccò
> Labels: security
>
> It would be best to add other password mechanisms that include salting and stretching of passwords (see links).
> This would mean that an extra attribute has to be added to the user (salt) which can be used for that purpose.
> You would be able to keep the old ones for backward compatibility and include new ones which are a lot safer. Apparently PBKDF2 is considered a secure mechanism.
> Some reading material:
> https://www.owasp.org/index.php/Hashing_Java
> http://jerryorr.blogspot.be/2012/05/secure-password-storage-lots-of-donts.html
> http://throwingfire.com/storing-passwords-securely/
> Jasypt (http://www.jasypt.org/) provides all the things mentioned in the articles, such as hashing,
> salting and iteration out of the box, and is also AL 2.0 licensed.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira