[jetty-dev] Can someone please shed some light on the security of passwo

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[jetty-dev] Can someone please shed some light on the security of password hashing offered in jetty?

From: Edmond Kemokai <ekemokai@xxxxxxxxxxxxx>
Date: Sun, 19 Feb 2017 21:24:58 -0500
Delivered-to: jetty-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-dev>
List-help: <mailto:jetty-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/jetty-dev>, <mailto:jetty-dev-request@eclipse.org?subject=unsubscribe>

Specifically, it seems jetty only supports MD5 and UnixCrypt as methods for hashing passwords, neither is considered secure (someone correct me on this).

Is the expectation that users who want security will roll their own LoginService implementations and support stronger methods (sha2+,bcrypt)?

Follow-Ups:
- Re: [jetty-dev] Can someone please shed some light on the security of password hashing offered in jetty?
  - From: Brad McEvoy

Prev by Date: [jetty-dev] JDK 9 EA Build 155 is available on java.net
Next by Date: Re: [jetty-dev] Can someone please shed some light on the security of password hashing offered in jetty?
Previous by thread: [jetty-dev] JDK 9 EA Build 155 is available on java.net
Next by thread: Re: [jetty-dev] Can someone please shed some light on the security of password hashing offered in jetty?
Index(es):
- Date
- Thread

Breadcrumbs