[NXP-5039] Encrypt by default user passwords stored in an SQL database - Nuxeo Issue Tracker

XML

Word

Printable

Details

Type: New Feature
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 5.3.2
Component/s: None

Impact type:

Configuration format change
Upgrade notes:

Hide

To activate password encryption, add to your configuration file (default-sql-directories-bundle.xml by default):
<passwordHashAlgorithm>SSHA</passwordHashAlgorithm>
after <passwordField>...</passwordField>

The other algorithm available is SMD5.

This is fully backward-compatible as old cleartext passwords will still be recognized and used. Whenever a user entry is modified the password will be encrypted if it's not already.

Show
To activate password encryption, add to your configuration file (default-sql-directories-bundle.xml by default): <passwordHashAlgorithm>SSHA</passwordHashAlgorithm> after <passwordField>...</passwordField> The other algorithm available is SMD5. This is fully backward-compatible as old cleartext passwords will still be recognized and used. Whenever a user entry is modified the password will be encrypted if it's not already.

Description

In order to avoid password leaks if a server's database is compromised, the user passwords stored in the SQL database should be encrypted and salted by default.

Attachments

Issue Links

is required by

NXP-5147 Make it possible to use encrypted passwords for virtual users defined in xml contribution files

Open

Activity

People

Assignee:

Florent Guillaume

Reporter:

Florent Guillaume

Participants:

Florent Guillaume

Votes:

1 Vote for this issue

Watchers:

0 Start watching this issue

Dates

Created:

2010-04-20 21:09

Updated:

2010-06-17 10:52

Resolved:

2010-06-17 10:52