https://issues.apache.org/bugzilla/show_bug.cgi?id=53785
--- Comment #3 from da...@leppik.net --- I think you miss one important point, namely that Tomcat only supports bidirectional hashes, whereas modern password hash functions are one-way. One workaround is for the user to provide salt (which currently isn't possible--see Bug 51966), but that is more error prone and arguably less secure than having the salt baked into the password algorithm. Using a different MessageDigest does not fix this. But as a bare minimum, could we at least change the documentation to direct novice users toward SHA-256 or better, since it currently implies that SHA, MD2, and MD5 are the only options? -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
