You are viewing a plain text version of this content. The canonical link for it is here.

Posted to server-dev@james.apache.org by "Karsten Otto (Jira)" <se...@james.apache.org> on 2021/11/17 16:44:00 UTC

[jira] [Created] (JAMES-3674) Support password salting and hash scheme upgrading

Karsten Otto created JAMES-3674:
-----------------------------------

             Summary: Support password salting and hash scheme upgrading
                 Key: JAMES-3674
                 URL: https://issues.apache.org/jira/browse/JAMES-3674
             Project: James Server
          Issue Type: Improvement
          Components: UsersStore &amp; UsersRepository
    Affects Versions: master
            Reporter: Karsten Otto


Currently, James does not use salt during password hashing, so its password database is vulnerable to rainbow table cracking if someone ever manages to steal it. Furthermore, there is no mechanism to upgrade user passwords to stronger/different hashing once they are created (cf. legacy hashing mode). This is a problem for any installation that does not employ an external LDAP user database.

A simple solution is to include the user name as salt in the password hash. For this purpose, the {{hashingMode}} choices in {{usersrepository.xml}} should include an new mode "salted" in addition to "legacy" and "default".

Additionally, the database should include an explicit column in the user table, which specifies the {{hashingMode}} of the stored password, and is used during verification. However, when a user changes the password,  the configured {{algorithm}} and {{hashingMode}} from {{usersrepository.xml}} will be used instead. This way, the database gradually upgrades over time to the preferred setting.

T-Shirt size L.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org