Feb 17th, 2012, 12:07 PM
Recommended strategy for password-encoding?
Given the frequent break-ins and some of the messages stating how md5 has been hacked, what is the recommended way for configuring password-encoding in Spring Security?
Also, if you already have password-encoding set up with spring security, how would you migrate encoded password to a new strategy should you choose one?
Feb 17th, 2012, 03:42 PM
Look into using SHA-256 which can be done using StandardPasswordEncoder.
You cannot really migrate a users password since the hash is one way. However, you do a gradual migration as such. When a user successfully logs in you temporarily have the password. So once you verify the password, you could update the password using the new hashing algorithm (i.e. if valid rehash with new strategy). You would then need to specify which passwords had been migrated and which had not. You could do this by prefixing the password with the hash that was used (similar to how ldap does it).
Feb 18th, 2012, 05:18 AM
Thanks, that's useful info! Any info on the "default". Is it considered "safe" enough?
Feb 20th, 2012, 10:17 PM
Yes the default is going to be good enough. It does all your standard stuff, salting the password, iterating a hash hundreds time, all that good stuff. When starting out fresh with an app I tend to use a bcrypt hashing scheme, but in reality the if you have a hole in the security of your web app, I would wager every time that it won't be because of a broken hash scheme, it's going to be due to something else.
Tags for this Thread