james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tellier Benoit (JIRA)" <server-...@james.apache.org>
Subject [jira] [Commented] (JAMES-2471) Changing a password should use latest configured hashing algorithm
Date Tue, 17 Jul 2018 06:49:00 GMT

    [ https://issues.apache.org/jira/browse/JAMES-2471?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16546099#comment-16546099
] 

Tellier Benoit commented on JAMES-2471:
---------------------------------------

Note that algorithm upgrade can also be performed upon login, as password is available, as
suggested by Jean Helou on server-user mailing list.

> Changing a password should use latest configured hashing algorithm
> ------------------------------------------------------------------
>
>                 Key: JAMES-2471
>                 URL: https://issues.apache.org/jira/browse/JAMES-2471
>             Project: James Server
>          Issue Type: Improvement
>          Components: CLI, UsersStore &amp; UsersRepository, webadmin
>    Affects Versions: master
>            Reporter: Tellier Benoit
>            Priority: Major
>              Labels: security
>
> James stores users passwords hashed in a database.
> The hashing algorithm is being stored on a per-user basis. However, when changing a password,
the password is hashed with the algorithm configured at user creation (not the one used during
the update).
> We would need, when updating user password, to ensure we are using the currently configured
algorithm.
> This has to be working using James WebAdmin and CLI



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org


Mime
View raw message