Store only hashed secrets

Description

(1) Hashed with SHA-512 and an individual salt per user.
(2) Requires storage of both password and salt.
(3) Salt should be long (30 chars) and random.
(4) Conversion of old clear-text passwords into hashes. Quick check on startup for password triple can trigger a fast replacement method.
(5) PrincipalManager needs to get some additional methods.
(6) Principal.getSecret() should be removed or at least deprecated - or renamed and changed into getHashedSecret().

Environment

None

Activity

Show:
Hannes Ebner
October 14, 2013, 7:29 PM

Using PBKDF2 now, introduced new class "Password" with helper methods. Adapted Verifier classes and User class.

Hannes Ebner
August 15, 2012, 11:51 AM
Hannes Ebner
April 9, 2012, 8:32 PM
Edited

Not bcrypt or pbkdf2 either, scrypt seems to be the algorithm of choice. Java impl can be found at https://github.com/wg/scrypt

Hannes Ebner
April 9, 2012, 8:30 PM

Should not use cryptographic hash functions, should use password hashing algorithm instead (scrypt, bcrypt or pbkdf2), see http://www.codinghorror.com/blog/2012/04/speed-hashing.html

Fixed

Assignee

Hannes Ebner

Reporter

Hannes Ebner

Labels

None

Fix versions

Priority

Normal