Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Why org.eclipse.jetty.util.securit.Password.java main function takes username, but use it as salt?
Answered in more length in the issue, but tl;dr; 

If you use the Crypt class directly for other purposes, you are free to provide whatever you like as salt, but using it for Password, the username should be used as the salt.

On 24 August 2017 at 04:22, Alvin Lin <alvinlin123@xxxxxxxxx> wrote:
From my code reading I see that
org.eclipse.jetty.util.securit.Password takes in 2 arguments, username
(optional) and password. However if I trace trough the code, the
username eventually become the salt (by taking the first 2 character)
for hashing password.

So I am wondering why does org.eclipse.jetty.util.securit.Password
document the first optional argument as "username"; why not just
document it as "salt"? Should we pass in username or can we pass in
some random string?

I asked the same question on Github:
https://github.com/eclipse/jetty.project/issues/1762 but I thought
asking this kind of question on mailing list is probably more
appropriate.

Thanks,
Alvin
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users



--

Back to the top