You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@felix.apache.org by "Antonio Sanso (JIRA)" <ji...@apache.org> on 2018/11/13 10:53:00 UTC
[jira] [Commented] (FELIX-5934) The Felix Web Console stores
unsalted hashed password
[ https://issues.apache.org/jira/browse/FELIX-5934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16685028#comment-16685028 ]
Antonio Sanso commented on FELIX-5934:
--------------------------------------
[~cziegeler] thanks a lot for applying . I would not call it completely resolved though. There is still the password initialization part to solve... But maybe we can handle in a different ticket ?
> The Felix Web Console stores unsalted hashed password
> -----------------------------------------------------
>
> Key: FELIX-5934
> URL: https://issues.apache.org/jira/browse/FELIX-5934
> Project: Felix
> Issue Type: Bug
> Components: Web Console
> Reporter: Antonio Sanso
> Assignee: Carsten Ziegeler
> Priority: Major
> Fix For: webconsole-4.3.10
>
> Attachments: FELIX-5934-patch.txt
>
>
> The Felix Web Console currently stores unsalted hashed password [0]
> This violates common security hygiene and industry standard.
> The suggestion is to either add a random salt or use a stronger Password Storage algorithm e.g. *Argon2* or *PBKDF2* *.* See [1]
>
> [0][https://github.com/apache/felix/blob/0bfe4ca7ebc6e81f0a9f4186a7ef58df4d92b4c9/webconsole/src/main/java/org/apache/felix/webconsole/internal/servlet/OsgiManager.java#L167]
> [1] https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)