Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-dev] Can someone please shed some light on the security of password hashing offered in jetty?

I don't see any indication that jetty's MD5 implementation supports adding a salt:

http://download.eclipse.org/jetty/stable-9/apidocs/org/eclipse/jetty/util/security/Credential.MD5.html


On Sun, Feb 19, 2017 at 11:12 PM, Brad McEvoy <brad@xxxxxxxxxxxxxxxxxxxx> wrote:

Those dictionary databases are only useful if no salt is used, eg thats where linkedin when wrong with their breach.

http://blog.inspiredelearning.com/categorytech-cornerthe-linkedin-hack-understanding-why-it-was-so-easy-to-crack-the-passwords-2/

But if you're not using salt then no hashing algorithm will help you, because anyone can generate a dictionary from known common passwords.

So AFAIK MD5 is as good a password hashing function for the web as any other.



On 20/02/17 17:06, Edmond Kemokai wrote:
@Brad
I see your point. There are however MD5 dictionary databases that are apparently useful to bad guys. In any case it would be nice to have better options in jetty.

On Sun, Feb 19, 2017 at 10:56 PM, Brad McEvoy <brad@xxxxxxxxxxxxxxxxxxxx> wrote:

What i said was that finding a collision of an MD5 does nothing to help an attacker find the actual password. I think that point still stands, right?

Clearly just applying an MD5 to a plain password isnt sufficient. But my understanding is that Digest (which uses MD5) hashed passwords have never been retrieved from a database breach. Happy to be corrected if anyone knows otherwise...


On 20/02/17 16:46, Edmond Kemokai wrote:
@Brad
MD5 is a weak hash, which is well known. your point about susceptibility to collision is in itself a good enough reason not to use it.

The password space (mathematically speaking) is vast, even for relatively weak passwords. So if an attacker manages to get their hands on your database it would be much more preferable for them if it was easier to crack the hash (which would be the case for MD5 and UnixCrypt) versus taking wild guesses of all passwords that could possibly map to a given hash.



On Sun, Feb 19, 2017 at 9:29 PM, Brad McEvoy <brad@xxxxxxxxxxxxxxxxxxxx> wrote:

Not specific to Jetty, but my understanding is that MD5 is susceptible to collisions, so someone could find a password other then the user's real password which generates the same MD5.

However, that doesnt actually help an attacker find the user's password.


On 20/02/17 15:24, Edmond Kemokai wrote:
Specifically, it seems jetty only supports MD5 and UnixCrypt as methods for hashing passwords, neither is considered secure (someone correct me on this).

Is the expectation that users who want security will roll their own LoginService implementations and support stronger methods (sha2+,bcrypt)?


_______________________________________________
jetty-dev mailing list
jetty-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-dev
_______________________________________________ jetty-dev mailing list jetty-dev@xxxxxxxxxxx To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-dev
_______________________________________________
jetty-dev mailing list
jetty-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-dev
_______________________________________________ jetty-dev mailing list jetty-dev@xxxxxxxxxxx To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-dev
_______________________________________________
jetty-dev mailing list
jetty-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-dev

_______________________________________________
jetty-dev mailing list
jetty-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-dev


Back to the top