https://issues.apache.org/bugzilla/show_bug.cgi?id=51966
--- Comment #18 from Gabriel <gabrielesanc...@gmail.com> --- The only advantage I see of hashing in the client side is not storing a String with the cleartext password in memory. Strings are immutable objects, so they cannot be cleared once password processing is completed. If no references point to it, then the garbage collector should eventually do the job. I've seen that careful password authentication implementations use a char array for this reason. Char arrays are mutable, so as soon as password processing is complete, all of the array elements are zeroed out, reducing the time an attacker might have to read the password off memory. Tomcat's password authentication methods should follow this best practice and be changed to do the handling with char[]. A risk of receiving the cleartext password is that someone with access to the server may write code to store passwords, and if users use the same password for other web accounts, then bad things can happen. Hashing might make it just a bit less easy for an insider to do that. They can still do brute force and dictionary attacks, of course. So it doesn't go a long way at all. Hashing on the server is necessary to protect passwords in the event a malicious person obtains access to the password table, even if hashing was done on the client side. Client side hashing by itself would make no difference here. And of course, no kind of hashing protects from weak passwords or stolen passwords from the clients via key loggers and whatnot. Should we change the meta data of this thread to reflect the direction the discussion has taken? Is this still a Tomcat 6 issue, or should we say it is a proposed new feature for Tomcat 8 revisions? Or do you think that all versions of Tomcat should be updated? -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
