You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@felix.apache.org by "Antonio Sanso (JIRA)" <ji...@apache.org> on 2018/09/21 06:07:00 UTC
[jira] [Created] (FELIX-5934) The Felix Web Console stores unsalted
hashed password
Antonio Sanso created FELIX-5934:
------------------------------------
Summary: The Felix Web Console stores unsalted hashed password
Key: FELIX-5934
URL: https://issues.apache.org/jira/browse/FELIX-5934
Project: Felix
Issue Type: Bug
Components: Web Console
Reporter: Antonio Sanso
The Felix Web Console currently stores unsalted hashed password [0]
This violates common security hygiene and industry standard.
The suggestion is to either add a random salt or use a stronger Password Storage algorithm e.g. *Argon2* or *PBKDF2* *.* See [1]
[0][https://github.com/apache/felix/blob/0bfe4ca7ebc6e81f0a9f4186a7ef58df4d92b4c9/webconsole/src/main/java/org/apache/felix/webconsole/internal/servlet/OsgiManager.java#L167]
[1] https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)