[Jamwiki-devel] Passwords with salts [was: Question about code fragment]
Brought to you by:
wrh2
From: Peter P. <pit...@us...> - 2013-03-16 23:46:20
|
Hi, Am 10.03.2013 um 20:14 schrieb jam...@li...: > I think the Encryption.bytes2String method can be killed - if I had to > guess that's probably just very old code and no one noticed the possible > cleanup. Did a SVN history search and the code came already with import from VQwiki. Cleaned it up, because I think it's useless and even more: dangerous. "new String()" is dangerous the very same way, but does not obfuscate this; So I preferred it for now, until I found a way to rearrange this stuff as a whole thing. > One caveat if you're looking into the password salts is to ensure that > any change will work for existing installations (or with an upgrade > process). I gave my very best. There's a small upgrade necessity, but I'll explain below. > I haven't looked at that issue in a long time, but as I > recall there was no easy way to upgrade existing installations to > support password salts using Java 5, I actually had and have no idea, why salts for passwords should be a matter of Java version, whether 1.4, 5, 6 or 7. I implemented salts without any known binding to used Java version. I created a comprehensive patch, which hopefully covers all relevant locations. I'll attach it to this mail. If this list blocks it, I'll upload it to some web space and share the link. The reason behind this is, I'd like to avoid committing an unchecked patch to my branch, that has to be reverted. "Unchecked" in the sense I'd like to have at least a second, even better third, opinion on the proposal for change. So it would be nice if someone could apply this patch to a local export of the sources and test if every thing works well; for me it does. Maybe someone can even test if an already existing installation still works ... After the necessary small upgrade. The details and my thoughts are in "README.md", contained in the mentioned attachment. So ... Feedback time :-) -- Best regards, Peter |