On 02/02/2014 02:51 AM, Nick Williams wrote:
On Feb 2, 2014, at 1:23 AM, Gabriel E. Sánchez Martínez wrote:
Hi developers,
I am very new to Tomcat but am already getting my feet wet with a web
application. A requirement for this application is form-based password
authentication, and I would like to store passwords in a database using salted
SHA-512 digests
I can't speak to most of this email, but don't do this. SHA-x is a *fast*
hashing algorithm. It's not designed for passwords. The problem with fast
hashing algorithms is that they are *very* susceptible to rainbow table
attacks. Modern password-hacking systems with 24 GPUs can calculate billions of
MD5 and SHA-x hash attacks per second.
I strongly recommend you use a *slow* hashing algorithm such as bcrypt, which
is designed specifically for hashing passwords. These algorithms use more than
just CPU/GPU operations (such as memory). Password hacking systems can only
calculate thousands of these per second instead of millions. It's much better
protection in case your password database is ever stolen.
Thanks Nick. I will look into the options available for digest
algorithms. The code I attached works with any digest algorithm,
though. So I think (but do tell me if I am missing something) that the
question of whether there is interest to include a realm that supports
salted passwords still stands. Or more generally, it seems that the
realms that ship with Tomcat (specifically the ones based on password
storage) provide weak security in the event of a compromised password
table, which suggests two things. First, the documentation should be
improved so that newcomers (like me) better understand the risks
associated with using the standard realms, and they are better placed to
implement more secure realms. Second, Tomcat should ship with a more
secure password storage realm options so that newcomers get better
security out of the box. The defaults should be strong salted digests,
not cleartext or unsalted digests. Do people agree?
, recognizing that this is not state-of-the-art password protection, but it is
a more secure method than unsalted digests in the event that the password table
is compromised.
<snip />
Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
