Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-dev] Can someone please shed some light on the security of password hashing offered in jetty?

Not specific to Jetty, but my understanding is that MD5 is susceptible to collisions, so someone could find a password other then the user's real password which generates the same MD5.

However, that doesnt actually help an attacker find the user's password.


On 20/02/17 15:24, Edmond Kemokai wrote:
Specifically, it seems jetty only supports MD5 and UnixCrypt as methods for hashing passwords, neither is considered secure (someone correct me on this).

Is the expectation that users who want security will roll their own LoginService implementations and support stronger methods (sha2+,bcrypt)?


_______________________________________________
jetty-dev mailing list
jetty-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-dev

Back to the top