3 Replies Latest reply on Oct 4, 2004 12:58 PM by Scott Stark

    salted password hashing

    David Norris Newbie

      All,

      I was delighted to discover that JBoss' built-in login modules now support password hashing. Is there a way to support *salted* hashes out of the box?

      On another note, I couldn't get the forum search tool to do "search for all terms" properly. For "passwordHash salt," it gave me the same results whether I searched for all terms or any. And none of the pages I could find contained the word "salt." It used to work... okay, no big deal, just thought I'd mention it.

      Many thanks, and to the development team, *great job* on 4.0!

        • 1. Re: salted password hashing
          Scott Stark Master

          No, the password hash just uses the java.security.MessageDigest for the indicated algorithm and there is no salt added. Is there a specific mechanism for adding a salt your looking for?

          • 2. Re: salted password hashing
            David Norris Newbie

            We use the user ID (a UUID) as a salt by prepending it to the password before hashing. I know it's easy to subclass the stock module and control the way it tests passwords; I just wondered if it'd do it for me.

            I guess one problem with supporting this in the built-in modules is that there are so many ways of doing it. Use some random characters as a salt? Something else? Where does the salt get stored -- in its own database column or prepended / appended to the hash output a-la-crypt()?

            It might be worth implementing at least minimal support for it though, since in my opinion hashed passwords are completely useless without salts (too easy to precompute cracking tables and run them against a compromised database).

            Does JBoss accept code contributions from the community? I wouldn't mind adding basic crypt()-style salt support to the stock module for a future version...

            • 3. Re: salted password hashing
              Scott Stark Master

              Right, there is any number of ways the salt could be incorporated. The most general approach would be to add an interface that allowed for arbitrary updating of the MessageDigest. The interface could be something like:

              public interface DigestCallback
              {
               /** Pass through access to the login module options */
               public void init(Map options);
               /** Pre-hash callout to allow for content before the password */
               public void preDigest(MessageDigest digest);
               /** Post-hash callout afer the password has been added to allow for content after the password */
               public void postDigest(MessageDigest digest);
              }
              


              and the implementation class would be specified as an option to the login module.

              Patches for suggested mods can be sumitted to sourceforge:
              http://sourceforge.net/tracker/?group_id=22866&atid=376687