james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Matthieu Baechler (JIRA)" <server-...@james.apache.org>
Subject [jira] [Commented] (JAMES-1677) Upgrade the users hashing algorithm type
Date Thu, 28 Jan 2016 19:55:39 GMT

    [ https://issues.apache.org/jira/browse/JAMES-1677?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15122219#comment-15122219
] 

Matthieu Baechler commented on JAMES-1677:
------------------------------------------

This contribution would be very welcome. I don't know why it would be related to backend,
I think it's orthogonal, don't you think ?

> Upgrade the users hashing algorithm type
> ----------------------------------------
>
>                 Key: JAMES-1677
>                 URL: https://issues.apache.org/jira/browse/JAMES-1677
>             Project: James Server
>          Issue Type: Improvement
>            Reporter: Ahmet Kaplan
>            Priority: Minor
>              Labels: security
>
> User data models use different hashing algorithms:
> JPA           -> MD5
> JDBC        -> SHA
> Cassandra -> SHA1
> HBase       -> MD5
> Memory     -> MD5
> JCR           -> MD5
> There are lots of hashing discussions such as http://stackoverflow.com/questions/20186354/best-practice-of-hashing-passwords/20186472#20186472
> https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
> https://en.wikipedia.org/wiki/SHA-2
> http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf
> I offer SHA-256 for all user data models. 
> P.S: Not exactly related but Google Chrome does not allow SHA1 at next year.
> http://blog.chromium.org/2014/09/gradually-sunsetting-sha-1.html



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org


Mime
View raw message