-
1. Re: salted password hashing
starksm64 Oct 4, 2004 2:30 AM (in response to danorris)No, the password hash just uses the java.security.MessageDigest for the indicated algorithm and there is no salt added. Is there a specific mechanism for adding a salt your looking for?
-
2. Re: salted password hashing
danorris Oct 4, 2004 3:50 AM (in response to danorris)We use the user ID (a UUID) as a salt by prepending it to the password before hashing. I know it's easy to subclass the stock module and control the way it tests passwords; I just wondered if it'd do it for me.
I guess one problem with supporting this in the built-in modules is that there are so many ways of doing it. Use some random characters as a salt? Something else? Where does the salt get stored -- in its own database column or prepended / appended to the hash output a-la-crypt()?
It might be worth implementing at least minimal support for it though, since in my opinion hashed passwords are completely useless without salts (too easy to precompute cracking tables and run them against a compromised database).
Does JBoss accept code contributions from the community? I wouldn't mind adding basic crypt()-style salt support to the stock module for a future version... -
3. Re: salted password hashing
starksm64 Oct 4, 2004 12:58 PM (in response to danorris)Right, there is any number of ways the salt could be incorporated. The most general approach would be to add an interface that allowed for arbitrary updating of the MessageDigest. The interface could be something like:
public interface DigestCallback { /** Pass through access to the login module options */ public void init(Map options); /** Pre-hash callout to allow for content before the password */ public void preDigest(MessageDigest digest); /** Post-hash callout afer the password has been added to allow for content after the password */ public void postDigest(MessageDigest digest); }
and the implementation class would be specified as an option to the login module.
Patches for suggested mods can be sumitted to sourceforge:
http://sourceforge.net/tracker/?group_id=22866&atid=376687