You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-dev@james.apache.org by "Ioan Eugen Stan (Jira)" <se...@james.apache.org> on 2021/11/18 20:04:00 UTC

[jira] [Commented] (JAMES-3674) Support password salting and hash scheme upgrading

    [ https://issues.apache.org/jira/browse/JAMES-3674?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17446126#comment-17446126 ] 

Ioan Eugen Stan commented on JAMES-3674:
----------------------------------------

My recommendation is to avoid rolling your own password hashing (and crypto in general) and instead adopt an industry standard methodology.

There are a few standardized password hashing algorithms that are used by other tools and if we adopt them, passwords could be checked by standard tools and even copied to otehr systems that use the same hashing algorightms.

Modern current hashing algorithms:
PBKDF2
bcrypt
scrypt
Argon2

Apache licensed library that can hash using those algorithms:  [https://github.com/Password4j/password4j]

Other solutions might exist.

> Support password salting and hash scheme upgrading
> --------------------------------------------------
>
>                 Key: JAMES-3674
>                 URL: https://issues.apache.org/jira/browse/JAMES-3674
>             Project: James Server
>          Issue Type: Improvement
>          Components: UsersStore &amp; UsersRepository
>    Affects Versions: master
>            Reporter: Karsten Otto
>            Priority: Major
>          Time Spent: 4h 40m
>  Remaining Estimate: 0h
>
> Currently, James does not use salt during password hashing, so its password database is vulnerable to rainbow table cracking if someone ever manages to steal it. Furthermore, there is no mechanism to upgrade user passwords to stronger/different hashing once they are created (cf. legacy hashing mode). This is a problem for any installation that does not employ an external LDAP user database.
> A simple solution is to include the user name as salt in the password hash. For this purpose, the {{hashingMode}} choices in {{usersrepository.xml}} should include an new mode "salted" in addition to "legacy" and "default".
> Additionally, the database should include an explicit column in the user table, which specifies the {{hashingMode}} of the stored password, and is used during verification. However, when a user changes the password,  the configured {{algorithm}} and {{hashingMode}} from {{usersrepository.xml}} will be used instead. This way, the database gradually upgrades over time to the preferred setting.
> T-Shirt size L.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org