DO NOT REPLY [Bug 51966] Tomcat does not support ssha hashed passwords in all contexts

[bu...@apache.org]

https://issues.apache.org/bugzilla/show_bug.cgi?id=51966

--- Comment #7 from Neale Rudd <ne...@metawerx.net> 2012-03-20 06:50:14 UTC ---
Hey Guys,

Great work on the patch so far Adam.

I'd love to see this implemented as well.  The current hashing provides no
security at all unless symbols are used in the passwords, because of the
availability of good, large rainbow tables on the net these days.

However, I'd prefer the salt to be prepended and separated with a $ symbol like
other implementations typically use.  The current patch seems to rely on a
fixed salt-length, which means the length can't ever be changed (all hashes
would become useless).

eg:
arbitrary-length-hex-encoded-salt-bytes$hex-encoded-digest

The patch can check for a $ symbol, and separate the string based on it.

Advantages:
- If no $ mark found, the digest can be treated as non-salted - so older hashes
can remain valid until the users change their passwords.
- Avoids needing to set the salt-length in a server.xml parameter, which
removes a couple of functions from the patch and the necessary extra
documentation for them.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org