You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jspwiki.apache.org by "Andrew Jaquith (JIRA)" <ji...@apache.org> on 2008/05/14 22:10:55 UTC

[jira] Closed: (JSPWIKI-20) Password hash should be salted

     [ https://issues.apache.org/jira/browse/JSPWIKI-20?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Andrew Jaquith closed JSPWIKI-20.
---------------------------------


> Password hash should be salted
> ------------------------------
>
>                 Key: JSPWIKI-20
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-20
>             Project: JSPWiki
>          Issue Type: Improvement
>          Components: Authentication&Authorization
>    Affects Versions: 2.5.139-beta
>            Reporter: Janne Jalkanen
>            Assignee: Andrew Jaquith
>             Fix For: 2.8
>
>         Attachments: jspwiki-20.patch
>
>
> The password hash is calculated as a direct SHA1-digest of the password.  Unfortunately this means that it's vulnerable to brute-force attacks - there are many web sites which store SHA1 hashes of common passwords.  The key space in most languages is pretty small... So the password should really be properly salted with preferably a long, random string.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.