Friday, March 01, 2013

Salt the LDAP password with Spring SSHA

Salted Encryption in LDAP or for any other credential storage mechanism is necessary to protect your user credentials from rainbow table based hacking. This is what what happened to the website of one of the ABC Australia television programs.

Let me show with some code how this exposure could be actually be avoided just with a little bit of salt ;-)

Let's say you use LDAP and Spring. When you save passwords from your application you will need three lines of code. If you use anything else the principle still applies: Encode with a strong algorithm like SSHA-X which relies on "salting" the encoded password. The salt should be a user specific representative binary (it could be their picture ;-) Adding some random bits to it wouldn't hurt (hey there are good image recognition programs around so be prepare for the next attack LOL):
LdapShaPasswordEncoder ldapShaPasswordEncoder = new LdapShaPasswordEncoder();
salt = ( someUserSpecificString + someRandomValue ).getBytes();
saltedPassword = ldapShaPasswordEncoder.encodePassword(password, salt);
You need no changes on the Server side, just correct the way you store passwords in your software.

No comments: