Provide the possibility to add a salt when calculating and verifiying the MD5 hash of a password

Details

Type: Improvement
Status: Open
Priority: Minor
Resolution: Unresolved
Affects Version/s: 6.1.24
Fix Version/s: None
Component/s: Security and SSL
Labels:
None

Number of attachments :
0

Description

Class org.mortbay.jetty.security.Credential provides the possibility to verify against a stored MD5 hash as well as providing one from a password given. Plain password hashes are vulnerable to rainbow table attacks when the password file is leaking (which could be the case when using HashUserRealm, which stores the hashes in a plain file). Therefore a salt is added to each password before being hashed to avoid this kind of attack. It would be worthwile to consider adding such a functionality to org.mortbay.jetty.security.Credential and org.mortbay.jetty.security.Credential.MD5.

I am relating to version 6.1.24 I am currently using. I scanned the bug database not finding the issue, therefore I assume that it is present in all versions.

Regards
Richard

Activity

Ascending order - Click to sort in descending order

Michael Gorovoy made changes - 20/Sep/10 7:34 PM

Field	Original Value	New Value
Assignee		Greg Wilkins [ gregw ]

Greg Wilkins made changes - 28/Sep/10 4:44 PM

Assignee

Greg Wilkins [ gregw ]

Jesse McConnell [ jesse ]

People

Assignee:

Jesse McConnell

Reporter:

Richard Birenheide

Vote (0)

Watch (0)

Dates

Created:

08/Sep/10 3:16 AM

Updated:

27/Nov/11 2:37 AM