Yeah, I was drastically simplifying, but didn't mention it.
On Thu, Aug 7, 2008 at 8:26 PM, Aristedes Maniatis <ar..sh.com.au> wrote:
>
> On 08/08/2008, at 5:00 AM, Michael Gentry wrote:
>
>> public void setPassword(String newPassword)
>> {
>> super.setPassword(sha1(newPassword));
>> }
>
> That's close to what we do too. Some small caveats:
>
> * think carefully about how you implement validation like 'password length
> is more than 4 characters' since the hash will always be more than 4
> characters
>
> * salt the password before hashing it (for example with the username and
> some other random string) otherwise you make it easy for someone to change
> the database value to a known password. That is, the password 'mypass'
> should hash to two different results for two different users.
>
> * make sure you don't getPassword and then setPassword somewhere in your
> code otherwise you'll keep rehashing the hashed version.
>
> Cheers
>
> Ari
>
>
>
> -------------------------->
> ish
> http://www.ish.com.au
> Level 1, 30 Wilson Street Newtown 2042 Australia
> phone +61 2 9550 5001 fax +61 2 9550 4001
> GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A
>
>
>
This archive was generated by hypermail 2.0.0 : Fri Aug 08 2008 - 10:17:48 EDT