You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@felix.apache.org by "Antonio Sanso (JIRA)" <ji...@apache.org> on 2018/09/21 06:07:00 UTC

[jira] [Created] (FELIX-5934) The Felix Web Console stores unsalted hashed password

Antonio Sanso created FELIX-5934:
------------------------------------

             Summary: The Felix Web Console stores unsalted hashed password
                 Key: FELIX-5934
                 URL: https://issues.apache.org/jira/browse/FELIX-5934
             Project: Felix
          Issue Type: Bug
          Components: Web Console
            Reporter: Antonio Sanso


The Felix Web Console currently stores unsalted hashed password [0]

This violates common security hygiene and industry standard.

The suggestion is to either add a random salt or use a stronger Password Storage algorithm e.g. *Argon2*  or *PBKDF2*  *.* See [1]

 

 [0][https://github.com/apache/felix/blob/0bfe4ca7ebc6e81f0a9f4186a7ef58df4d92b4c9/webconsole/src/main/java/org/apache/felix/webconsole/internal/servlet/OsgiManager.java#L167]

[1] https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)