https://issues.apache.org/bugzilla/show_bug.cgi?id=51966
--- Comment #21 from S <bl...@gmx.net> --- In order to illustrate how I understood possibilities and their use in Tomcat, I made a list of authentication mechanisms: 0) Compare the sent PW to the stored PW 1) Hashing the sent PW on the server, compare it to stored hash (Tomcat default) 2) Hashing the PW n times on the client, hashing the sent hashed PW once more on the server, compare it to stored n+1 rounds hash 3) Hashing the PW n times on the client (with [fixed and user known] salt), hashing the sent hashed PW once more on the server, compare it to stored n+1 rounds hash (n with salt, 1 without salt) 4) Using jBCrypt / scrypt All these come in http / https flavors. As far as I understand, only 1, 2 and 3 are possible today without changing Tomcat. Do you agree? In terms of security it is 0<<<<<<<<<<<<<<<<<<1<<<<<<<<<<<<<<<<<<2<3<<<<<<<<<<<<<<<<<< ..... <<<<<<<<<<<<<<<<<<4 A support for jBCrypt / scrypt would really be great! -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
