Jetty
  1. Jetty
  2. JETTY-1272

Provide the possibility to add a salt when calculating and verifiying the MD5 hash of a password

    Details

    • Type: Improvement Improvement
    • Status: Open Open
    • Priority: Minor Minor
    • Resolution: Unresolved
    • Affects Version/s: 6.1.24
    • Fix Version/s: None
    • Component/s: Security and SSL
    • Labels:
      None
    • Number of attachments :
      0

      Description

      Class org.mortbay.jetty.security.Credential provides the possibility to verify against a stored MD5 hash as well as providing one from a password given. Plain password hashes are vulnerable to rainbow table attacks when the password file is leaking (which could be the case when using HashUserRealm, which stores the hashes in a plain file). Therefore a salt is added to each password before being hashed to avoid this kind of attack. It would be worthwile to consider adding such a functionality to org.mortbay.jetty.security.Credential and org.mortbay.jetty.security.Credential.MD5.

      I am relating to version 6.1.24 I am currently using. I scanned the bug database not finding the issue, therefore I assume that it is present in all versions.

      Regards
      Richard

        Activity

          People

          • Assignee:
            Jesse McConnell
            Reporter:
            Richard Birenheide
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated: