https://issues.apache.org/bugzilla/show_bug.cgi?id=51966
--- Comment #16 from Christopher Schultz <ch...@christopherschultz.net> --- (In reply to S from comment #15) > Hi, > > what I'm doing is to hash the user-entered password 999x on the client with > a salt (visible in the JS code) on the OK-Click in my login form. Then I > send it to Tomcat and have it compared to the stored hash (1000x hashed with > the same salt). This is awful security. When the client is involved in authentication, that's called not being authenticated. In production, we salt-hash 75000 times by default, and should probably do more. 10k times isn't nearly enough. > This way there is never send a unhashed password (even not when you are not > using https, which you shouldn't) and you can configure the number of > pre-hashing to your needs (to be safe against generating rainbow tables for > your salt). This might be useful in times of modern GPUs executing billions > of SHA1-hashes per second (2300M/s SHA1 hashes in 2009). Shouldn't use HTTPS, or shouldn't send otherwise-unencrypted passwords over HTTPS? Both of those sound like bad advice. Nobody should be using SHA-1 anymore for authentication. Realistically, nobody should be using crypto hashing for password hashing, anyway. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
