[DISCUSS] - Change default password algorithm for 2.1.0

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[DISCUSS] - Change default password algorithm for 2.1.0

Colm O hEigeartaigh
Should we change the default password algorithm from SHA1 for 2.1.0? It's
probably time to migrate from SHA1 IMO.

Colm.


--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [DISCUSS] - Change default password algorithm for 2.1.0

ilgrosso
Administrator
On 14/07/2017 10:48, Colm O hEigeartaigh wrote:
> Should we change the default password algorithm from SHA1 for 2.1.0? It's
> probably time to migrate from SHA1 IMO.

Makes sense.
The only problem I could see if when pulling hashed password values from
LDAP, where SHA1 is still quite common. Not a big deal, anyway.

Which algorithm do you propose?

Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [DISCUSS] - Change default password algorithm for 2.1.0

Colm O hEigeartaigh
I guess SHA-256 would be a straightforward replacement. Maybe we should
instead move to a salted hash though?

Colm.

On Fri, Jul 14, 2017 at 9:52 AM, Francesco Chicchiriccò <[hidden email]
> wrote:

> On 14/07/2017 10:48, Colm O hEigeartaigh wrote:
>
>> Should we change the default password algorithm from SHA1 for 2.1.0? It's
>> probably time to migrate from SHA1 IMO.
>>
>
> Makes sense.
> The only problem I could see if when pulling hashed password values from
> LDAP, where SHA1 is still quite common. Not a big deal, anyway.
>
> Which algorithm do you propose?
>
> Regards.
>
> --
> Francesco Chicchiriccò
>
> Tirasa - Open Source Excellence
> http://www.tirasa.net/
>
> Member at The Apache Software Foundation
> Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
> http://home.apache.org/~ilgrosso/
>
>


--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [DISCUSS] - Change default password algorithm for 2.1.0

ilgrosso
Administrator
On 14/07/2017 11:40, Colm O hEigeartaigh wrote:
> I guess SHA-256 would be a straightforward replacement. Maybe we should
> instead move to a salted hash though?

Well, just set your preference among

https://github.com/apache/syncope/blob/master/common/lib/src/main/java/org/apache/syncope/common/lib/types/CipherAlgorithm.java

:-)

Regards.

> On Fri, Jul 14, 2017 at 9:52 AM, Francesco Chicchiriccò <[hidden email]> wrote:
>
>> On 14/07/2017 10:48, Colm O hEigeartaigh wrote:
>>
>>> Should we change the default password algorithm from SHA1 for 2.1.0? It's
>>> probably time to migrate from SHA1 IMO.
>>>
>> Makes sense.
>> The only problem I could see if when pulling hashed password values from
>> LDAP, where SHA1 is still quite common. Not a big deal, anyway.
>>
>> Which algorithm do you propose?
>>
>> Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [DISCUSS] - Change default password algorithm for 2.1.0

Colm O hEigeartaigh
How does the salt configuration work for "SSHA256"? Is it stored in
security.properties?

Colm.

On Fri, Jul 14, 2017 at 10:41 AM, Francesco Chicchiriccò <
[hidden email]> wrote:

> On 14/07/2017 11:40, Colm O hEigeartaigh wrote:
>
>> I guess SHA-256 would be a straightforward replacement. Maybe we should
>> instead move to a salted hash though?
>>
>
> Well, just set your preference among
>
> https://github.com/apache/syncope/blob/master/common/lib/
> src/main/java/org/apache/syncope/common/lib/types/CipherAlgorithm.java
>
> :-)
>
> Regards.
>
>
> On Fri, Jul 14, 2017 at 9:52 AM, Francesco Chicchiriccò <
>> [hidden email]> wrote:
>>
>> On 14/07/2017 10:48, Colm O hEigeartaigh wrote:
>>>
>>> Should we change the default password algorithm from SHA1 for 2.1.0? It's
>>>> probably time to migrate from SHA1 IMO.
>>>>
>>>> Makes sense.
>>> The only problem I could see if when pulling hashed password values from
>>> LDAP, where SHA1 is still quite common. Not a big deal, anyway.
>>>
>>> Which algorithm do you propose?
>>>
>>> Regards.
>>>
>>
> --
> Francesco Chicchiriccò
>
> Tirasa - Open Source Excellence
> http://www.tirasa.net/
>
> Member at The Apache Software Foundation
> Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
> http://home.apache.org/~ilgrosso/
>
>


--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [DISCUSS] - Change default password algorithm for 2.1.0

ilgrosso
Administrator
On 14/07/2017 11:45, Colm O hEigeartaigh wrote:
> How does the salt configuration work for "SSHA256"? Is it stored in
> security.properties?

Password values are encrypted by

https://github.com/apache/syncope/blob/master/core/spring/src/main/java/org/apache/syncope/core/spring/security/Encryptor.java

with configuration from security.properties

Regards.

> On Fri, Jul 14, 2017 at 10:41 AM, Francesco Chicchiriccò <
> [hidden email]> wrote:
>
>> On 14/07/2017 11:40, Colm O hEigeartaigh wrote:
>>
>>> I guess SHA-256 would be a straightforward replacement. Maybe we should
>>> instead move to a salted hash though?
>>>
>> Well, just set your preference among
>>
>> https://github.com/apache/syncope/blob/master/common/lib/
>> src/main/java/org/apache/syncope/common/lib/types/CipherAlgorithm.java
>>
>> :-)
>>
>> Regards.
>>
>>
>> On Fri, Jul 14, 2017 at 9:52 AM, Francesco Chicchiriccò <
>>> [hidden email]> wrote:
>>>
>>> On 14/07/2017 10:48, Colm O hEigeartaigh wrote:
>>>> Should we change the default password algorithm from SHA1 for 2.1.0? It's
>>>>> probably time to migrate from SHA1 IMO.
>>>>>
>>>>> Makes sense.
>>>> The only problem I could see if when pulling hashed password values from
>>>> LDAP, where SHA1 is still quite common. Not a big deal, anyway.
>>>>
>>>> Which algorithm do you propose?
>>>>
>>>> Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [DISCUSS] - Change default password algorithm for 2.1.0

Colm O hEigeartaigh
OK thanks. Well I'd say that "SSHA256" would be best, WDYT?

BTW I'm a bit dubious about "SECRET_KEY = DEFAULT_SECRET_KEY;" in
Encryptor. If SECRET_KEY is null we should probably throw an exception...

Colm.

On Fri, Jul 14, 2017 at 10:48 AM, Francesco Chicchiriccò <
[hidden email]> wrote:

> On 14/07/2017 11:45, Colm O hEigeartaigh wrote:
>
>> How does the salt configuration work for "SSHA256"? Is it stored in
>> security.properties?
>>
>
> Password values are encrypted by
>
> https://github.com/apache/syncope/blob/master/core/spring/
> src/main/java/org/apache/syncope/core/spring/security/Encryptor.java
>
> with configuration from security.properties
>
> Regards.
>
> On Fri, Jul 14, 2017 at 10:41 AM, Francesco Chicchiriccò <
>> [hidden email]> wrote:
>>
>> On 14/07/2017 11:40, Colm O hEigeartaigh wrote:
>>>
>>> I guess SHA-256 would be a straightforward replacement. Maybe we should
>>>> instead move to a salted hash though?
>>>>
>>>> Well, just set your preference among
>>>
>>> https://github.com/apache/syncope/blob/master/common/lib/
>>> src/main/java/org/apache/syncope/common/lib/types/CipherAlgorithm.java
>>>
>>> :-)
>>>
>>> Regards.
>>>
>>>
>>> On Fri, Jul 14, 2017 at 9:52 AM, Francesco Chicchiriccò <
>>>
>>>> [hidden email]> wrote:
>>>>
>>>> On 14/07/2017 10:48, Colm O hEigeartaigh wrote:
>>>>
>>>>> Should we change the default password algorithm from SHA1 for 2.1.0?
>>>>> It's
>>>>>
>>>>>> probably time to migrate from SHA1 IMO.
>>>>>>
>>>>>> Makes sense.
>>>>>>
>>>>> The only problem I could see if when pulling hashed password values
>>>>> from
>>>>> LDAP, where SHA1 is still quite common. Not a big deal, anyway.
>>>>>
>>>>> Which algorithm do you propose?
>>>>>
>>>>> Regards.
>>>>>
>>>>
> --
> Francesco Chicchiriccò
>
> Tirasa - Open Source Excellence
> http://www.tirasa.net/
>
> Member at The Apache Software Foundation
> Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
> http://home.apache.org/~ilgrosso/
>
>


--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [DISCUSS] - Change default password algorithm for 2.1.0

ilgrosso
Administrator
On 14/07/2017 11:54, Colm O hEigeartaigh wrote:
> OK thanks. Well I'd say that "SSHA256" would be best, WDYT?
>
> BTW I'm a bit dubious about "SECRET_KEY = DEFAULT_SECRET_KEY;" in
> Encryptor. If SECRET_KEY is null we should probably throw an exception...

We recently took a different approach for default admin password,
default JWS key, etc

https://issues.apache.org/jira/browse/SYNCOPE-1119

No?

> On Fri, Jul 14, 2017 at 10:48 AM, Francesco Chicchiriccò <[hidden email]> wrote:
>
>> On 14/07/2017 11:45, Colm O hEigeartaigh wrote:
>>
>>> How does the salt configuration work for "SSHA256"? Is it stored in
>>> security.properties?
>>>
>> Password values are encrypted by
>>
>> https://github.com/apache/syncope/blob/master/core/spring/
>> src/main/java/org/apache/syncope/core/spring/security/Encryptor.java
>>
>> with configuration from security.properties
>>
>> Regards.
>>
>> On Fri, Jul 14, 2017 at 10:41 AM, Francesco Chicchiriccò <
>>> [hidden email]> wrote:
>>>
>>> On 14/07/2017 11:40, Colm O hEigeartaigh wrote:
>>>> I guess SHA-256 would be a straightforward replacement. Maybe we should
>>>>> instead move to a salted hash though?
>>>>>
>>>>> Well, just set your preference among
>>>> https://github.com/apache/syncope/blob/master/common/lib/
>>>> src/main/java/org/apache/syncope/common/lib/types/CipherAlgorithm.java
>>>>
>>>> :-)
>>>>
>>>> Regards.
>>>>
>>>>
>>>> On Fri, Jul 14, 2017 at 9:52 AM, Francesco Chicchiriccò <
>>>>
>>>>> [hidden email]> wrote:
>>>>>
>>>>> On 14/07/2017 10:48, Colm O hEigeartaigh wrote:
>>>>>
>>>>>> Should we change the default password algorithm from SHA1 for 2.1.0?
>>>>>> It's
>>>>>>
>>>>>>> probably time to migrate from SHA1 IMO.
>>>>>>>
>>>>>>> Makes sense.
>>>>>>>
>>>>>> The only problem I could see if when pulling hashed password values
>>>>>> from
>>>>>> LDAP, where SHA1 is still quite common. Not a big deal, anyway.
>>>>>>
>>>>>> Which algorithm do you propose?
>>>>>>
>>>>>> Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [DISCUSS] - Change default password algorithm for 2.1.0

Colm O hEigeartaigh
Well I guess the difference between the two cases is that for SYNCOPE-1119
we need to have some (default) values in security.properties to get Syncope
to start properly (hence logging if the default values are detected).
Whereas for Encryptor, it has the default key hard-coded into the class. It
seems reasonable to me that it should error if the relevant property is not
read in from security.properties.

If you are ok with switching to SSHA256 for 2.1.0 I'll create a JIRA....

Colm.

On Fri, Jul 14, 2017 at 12:09 PM, Francesco Chicchiriccò <
[hidden email]> wrote:

> On 14/07/2017 11:54, Colm O hEigeartaigh wrote:
>
>> OK thanks. Well I'd say that "SSHA256" would be best, WDYT?
>>
>> BTW I'm a bit dubious about "SECRET_KEY = DEFAULT_SECRET_KEY;" in
>> Encryptor. If SECRET_KEY is null we should probably throw an exception...
>>
>
> We recently took a different approach for default admin password, default
> JWS key, etc
>
> https://issues.apache.org/jira/browse/SYNCOPE-1119
>
> No?
>
>
> On Fri, Jul 14, 2017 at 10:48 AM, Francesco Chicchiriccò <
>> [hidden email]> wrote:
>>
>> On 14/07/2017 11:45, Colm O hEigeartaigh wrote:
>>>
>>> How does the salt configuration work for "SSHA256"? Is it stored in
>>>> security.properties?
>>>>
>>>> Password values are encrypted by
>>>
>>> https://github.com/apache/syncope/blob/master/core/spring/
>>> src/main/java/org/apache/syncope/core/spring/security/Encryptor.java
>>>
>>> with configuration from security.properties
>>>
>>> Regards.
>>>
>>> On Fri, Jul 14, 2017 at 10:41 AM, Francesco Chicchiriccò <
>>>
>>>> [hidden email]> wrote:
>>>>
>>>> On 14/07/2017 11:40, Colm O hEigeartaigh wrote:
>>>>
>>>>> I guess SHA-256 would be a straightforward replacement. Maybe we should
>>>>>
>>>>>> instead move to a salted hash though?
>>>>>>
>>>>>> Well, just set your preference among
>>>>>>
>>>>> https://github.com/apache/syncope/blob/master/common/lib/
>>>>> src/main/java/org/apache/syncope/common/lib/types/CipherAlgorithm.java
>>>>>
>>>>> :-)
>>>>>
>>>>> Regards.
>>>>>
>>>>>
>>>>> On Fri, Jul 14, 2017 at 9:52 AM, Francesco Chicchiriccò <
>>>>>
>>>>> [hidden email]> wrote:
>>>>>>
>>>>>> On 14/07/2017 10:48, Colm O hEigeartaigh wrote:
>>>>>>
>>>>>> Should we change the default password algorithm from SHA1 for 2.1.0?
>>>>>>> It's
>>>>>>>
>>>>>>> probably time to migrate from SHA1 IMO.
>>>>>>>>
>>>>>>>> Makes sense.
>>>>>>>>
>>>>>>>> The only problem I could see if when pulling hashed password values
>>>>>>> from
>>>>>>> LDAP, where SHA1 is still quite common. Not a big deal, anyway.
>>>>>>>
>>>>>>> Which algorithm do you propose?
>>>>>>>
>>>>>>> Regards.
>>>>>>>
>>>>>>
> --
> Francesco Chicchiriccò
>
> Tirasa - Open Source Excellence
> http://www.tirasa.net/
>
> Member at The Apache Software Foundation
> Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
> http://home.apache.org/~ilgrosso/
>
>


--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [DISCUSS] - Change default password algorithm for 2.1.0

ilgrosso
Administrator
On 14/07/2017 14:03, Colm O hEigeartaigh wrote:
> Well I guess the difference between the two cases is that for SYNCOPE-1119
> we need to have some (default) values in security.properties to get Syncope
> to start properly (hence logging if the default values are detected).
> Whereas for Encryptor, it has the default key hard-coded into the class. It
> seems reasonable to me that it should error if the relevant property is not
> read in from security.properties.

Well, the default jwKey is hard-coded in

https://github.com/apache/syncope/blob/master/core/spring/src/main/java/org/apache/syncope/core/spring/security/DefaultCredentialChecker.java#L31

no?

> If you are ok with switching to SSHA256 for 2.1.0 I'll create a JIRA....

Sure, please go ahead.

Regards.

> On Fri, Jul 14, 2017 at 12:09 PM, Francesco Chicchiriccò <
> [hidden email]> wrote:
>
>> On 14/07/2017 11:54, Colm O hEigeartaigh wrote:
>>
>>> OK thanks. Well I'd say that "SSHA256" would be best, WDYT?
>>>
>>> BTW I'm a bit dubious about "SECRET_KEY = DEFAULT_SECRET_KEY;" in
>>> Encryptor. If SECRET_KEY is null we should probably throw an exception...
>>>
>> We recently took a different approach for default admin password, default
>> JWS key, etc
>>
>> https://issues.apache.org/jira/browse/SYNCOPE-1119
>>
>> No?
>>
>>
>> On Fri, Jul 14, 2017 at 10:48 AM, Francesco Chicchiriccò <
>>> [hidden email]> wrote:
>>>
>>> On 14/07/2017 11:45, Colm O hEigeartaigh wrote:
>>>> How does the salt configuration work for "SSHA256"? Is it stored in
>>>>> security.properties?
>>>>>
>>>>> Password values are encrypted by
>>>> https://github.com/apache/syncope/blob/master/core/spring/
>>>> src/main/java/org/apache/syncope/core/spring/security/Encryptor.java
>>>>
>>>> with configuration from security.properties
>>>>
>>>> Regards.
>>>>
>>>> On Fri, Jul 14, 2017 at 10:41 AM, Francesco Chicchiriccò <
>>>>
>>>>> [hidden email]> wrote:
>>>>>
>>>>> On 14/07/2017 11:40, Colm O hEigeartaigh wrote:
>>>>>
>>>>>> I guess SHA-256 would be a straightforward replacement. Maybe we should
>>>>>>
>>>>>>> instead move to a salted hash though?
>>>>>>>
>>>>>>> Well, just set your preference among
>>>>>>>
>>>>>> https://github.com/apache/syncope/blob/master/common/lib/
>>>>>> src/main/java/org/apache/syncope/common/lib/types/CipherAlgorithm.java
>>>>>>
>>>>>> :-)
>>>>>>
>>>>>> Regards.
>>>>>>
>>>>>>
>>>>>> On Fri, Jul 14, 2017 at 9:52 AM, Francesco Chicchiriccò <
>>>>>>
>>>>>> [hidden email]> wrote:
>>>>>>> On 14/07/2017 10:48, Colm O hEigeartaigh wrote:
>>>>>>>
>>>>>>> Should we change the default password algorithm from SHA1 for 2.1.0?
>>>>>>>> It's
>>>>>>>>
>>>>>>>> probably time to migrate from SHA1 IMO.
>>>>>>>>> Makes sense.
>>>>>>>>>
>>>>>>>>> The only problem I could see if when pulling hashed password values
>>>>>>>> from
>>>>>>>> LDAP, where SHA1 is still quite common. Not a big deal, anyway.
>>>>>>>>
>>>>>>>> Which algorithm do you propose?
>>>>>>>>
>>>>>>>> Regards.

--
Francesco Chicchiriccò

Tirasa - Open Source Excellence
http://www.tirasa.net/

Member at The Apache Software Foundation
Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
http://home.apache.org/~ilgrosso/

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [DISCUSS] - Change default password algorithm for 2.1.0

Colm O hEigeartaigh
On Fri, Jul 14, 2017 at 1:14 PM, Francesco Chicchiriccò <[hidden email]
> wrote:


> Well, the default jwKey is hard-coded in
>
> https://github.com/apache/syncope/blob/master/core/spring/
> src/main/java/org/apache/syncope/core/spring/security/D
> efaultCredentialChecker.java#L31
>
> no?
>

Sure, but that's only used to check that the default value in
security.properties has been changed. The value in Encryptor is actually
used for encryption if the property does not appear in security.properties
at all. I'm just wondering if we need to support this use-case, it seems
reasonable to error if the property is not there, and then this default
value could be removed from Encryptor? Not a big deal either way though :-)

Colm.



>
> If you are ok with switching to SSHA256 for 2.1.0 I'll create a JIRA....
>>
>
> Sure, please go ahead.
>
>
> Regards.
>
> On Fri, Jul 14, 2017 at 12:09 PM, Francesco Chicchiriccò <
>> [hidden email]> wrote:
>>
>> On 14/07/2017 11:54, Colm O hEigeartaigh wrote:
>>>
>>> OK thanks. Well I'd say that "SSHA256" would be best, WDYT?
>>>>
>>>> BTW I'm a bit dubious about "SECRET_KEY = DEFAULT_SECRET_KEY;" in
>>>> Encryptor. If SECRET_KEY is null we should probably throw an
>>>> exception...
>>>>
>>>> We recently took a different approach for default admin password,
>>> default
>>> JWS key, etc
>>>
>>> https://issues.apache.org/jira/browse/SYNCOPE-1119
>>>
>>> No?
>>>
>>>
>>> On Fri, Jul 14, 2017 at 10:48 AM, Francesco Chicchiriccò <
>>>
>>>> [hidden email]> wrote:
>>>>
>>>> On 14/07/2017 11:45, Colm O hEigeartaigh wrote:
>>>>
>>>>> How does the salt configuration work for "SSHA256"? Is it stored in
>>>>>
>>>>>> security.properties?
>>>>>>
>>>>>> Password values are encrypted by
>>>>>>
>>>>> https://github.com/apache/syncope/blob/master/core/spring/
>>>>> src/main/java/org/apache/syncope/core/spring/security/Encryptor.java
>>>>>
>>>>> with configuration from security.properties
>>>>>
>>>>> Regards.
>>>>>
>>>>> On Fri, Jul 14, 2017 at 10:41 AM, Francesco Chicchiriccò <
>>>>>
>>>>> [hidden email]> wrote:
>>>>>>
>>>>>> On 14/07/2017 11:40, Colm O hEigeartaigh wrote:
>>>>>>
>>>>>> I guess SHA-256 would be a straightforward replacement. Maybe we
>>>>>>> should
>>>>>>>
>>>>>>> instead move to a salted hash though?
>>>>>>>>
>>>>>>>> Well, just set your preference among
>>>>>>>>
>>>>>>>> https://github.com/apache/syncope/blob/master/common/lib/
>>>>>>> src/main/java/org/apache/syncope/common/lib/types/CipherAlgo
>>>>>>> rithm.java
>>>>>>>
>>>>>>> :-)
>>>>>>>
>>>>>>> Regards.
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Jul 14, 2017 at 9:52 AM, Francesco Chicchiriccò <
>>>>>>>
>>>>>>> [hidden email]> wrote:
>>>>>>>
>>>>>>>> On 14/07/2017 10:48, Colm O hEigeartaigh wrote:
>>>>>>>>
>>>>>>>> Should we change the default password algorithm from SHA1 for 2.1.0?
>>>>>>>>
>>>>>>>>> It's
>>>>>>>>>
>>>>>>>>> probably time to migrate from SHA1 IMO.
>>>>>>>>>
>>>>>>>>>> Makes sense.
>>>>>>>>>>
>>>>>>>>>> The only problem I could see if when pulling hashed password
>>>>>>>>>> values
>>>>>>>>>>
>>>>>>>>> from
>>>>>>>>> LDAP, where SHA1 is still quite common. Not a big deal, anyway.
>>>>>>>>>
>>>>>>>>> Which algorithm do you propose?
>>>>>>>>>
>>>>>>>>> Regards.
>>>>>>>>>
>>>>>>>>
> --
> Francesco Chicchiriccò
>
> Tirasa - Open Source Excellence
> http://www.tirasa.net/
>
> Member at The Apache Software Foundation
> Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail
> http://home.apache.org/~ilgrosso/
>
>


--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Loading...