Let me show with some code how this exposure could be actually be avoided just with a little bit of salt ;-)
Let's say you use LDAP and Spring. When you save passwords from your application you will need three lines of code. If you use anything else the principle still applies: Encode with a strong algorithm like SSHA-X which relies on "salting" the encoded password. The salt should be a user specific representative binary (it could be their picture ;-) Adding some random bits to it wouldn't hurt (hey there are good image recognition programs around so be prepare for the next attack LOL):
LdapShaPasswordEncoder ldapShaPasswordEncoder = new LdapShaPasswordEncoder(); salt = ( someUserSpecificString + someRandomValue ).getBytes(); saltedPassword = ldapShaPasswordEncoder.encodePassword(password, salt);You need no changes on the Server side, just correct the way you store passwords in your software.
No comments:
Post a Comment