<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">Why not just drop "PlainText" from the
      class name and keep it Password?&nbsp; Most of the passwords are
      character based. If we are going to call it PlainTextPassword,
      irrespective of pluggable encoding/masking functionality under the
      covers, it will send jitters in developers' spines.<br>
      <br>
      On 01/07/2013 09:57 AM, Shane Bryzak wrote:<br>
    </div>
    <blockquote cite="mid:50EAF071.4000708@redhat.com" type="cite">
      <meta content="text/html; charset=ISO-8859-1"
        http-equiv="Content-Type">
      <div class="moz-cite-prefix">It's actually currently a unique salt
        per account, but we need to change it to unique salt per
        password (see getSalt() method in [1]).&nbsp; I'm also -1 for
        EncodedPassword, as it doesn't fit the design of the credential
        handler SPI.&nbsp; What we probably really need is an
        EncodedPasswordCredentialHandler, similar to [1] which will
        manage the persistence of a PlainTextPassword however provide a
        pluggable mechanism for controlling the encoding process.&nbsp; This
        will require some additional changes though to the SPI to
        support overriding the default credential handlers&nbsp; (not a major
        problem though).<br>
        <br>
        [1]
        <meta http-equiv="content-type" content="text/html;
          charset=ISO-8859-1">
        <a moz-do-not-send="true"
href="https://github.com/picketlink/picketlink/blob/master/idm/impl/src/main/java/org/picketlink/idm/credential/internal/PlainTextPasswordCredentialHandler.java">https://github.com/picketlink/picketlink/blob/master/idm/impl/src/main/java/org/picketlink/idm/credential/internal/PlainTextPasswordCredentialHandler.java</a><br>
        <br>
        On 08/01/13 01:35, Anil Saldhana wrote:<br>
      </div>
      <blockquote cite="mid:50EAEB3F.40907@redhat.com" type="cite">
        <meta content="text/html; charset=ISO-8859-1"
          http-equiv="Content-Type">
        <div class="moz-cite-prefix">Unique salt per password and
          hashed. This is the default scheme we plan to use when users
          just send plain text passwords to IDM. The EncodedPassword
          type will have pluggable mechanisms that can vary in security
          (including encryption). <br>
          <br>
          On 01/07/2013 09:33 AM, Jason Porter wrote:<br>
        </div>
        <blockquote
          cite="mid:D0FEF39D-7FBB-4923-803F-DB0C0810C5E6@gmail.com"
          type="cite">
          <div class="moz-text-plain" wrap="true" graphical-quote="true"
            style="font-family: -moz-fixed; font-size: 12px;"
            lang="x-western">
            <pre wrap="">I haven't looked at the code yet, so forgive me if this is ignorance on my part. Are we using the same salt for every password? I think it might actually be a good idea to remove hashed passwords as an option and instead offer things more secure such as bcrypt or scrypt. One of those at least, imo, should be default. Hashed passwords, even with a salt are really not that secure and I'm not talking about rainbow table attacks, just plain brute force attacks with small box lots of GPU power and some coda code are quickly become the norm for brute forcing passwords. 

This also brings up a good point with what are our recommendations and defaults? Encryption, hashing, account locks?

Sent from my iPhone

On Jan 7, 2013, at 8:27, Pedro Igor Silva <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:psilva@redhat.com">&lt;psilva@redhat.com&gt;</a> wrote:

</pre>
            <blockquote type="cite" style="color: #C0C0C0;">
              <pre wrap=""><span class="moz-txt-citetags">&gt; </span>+1
<span class="moz-txt-citetags">&gt; </span>
<span class="moz-txt-citetags">&gt; </span>----- Original Message -----
<span class="moz-txt-citetags">&gt; </span>From: "Bruno Oliveira" <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:bruno@abstractj.org">&lt;bruno@abstractj.org&gt;</a>
<span class="moz-txt-citetags">&gt; </span>To: "Anil Saldhana" <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:Anil.Saldhana@redhat.com">&lt;Anil.Saldhana@redhat.com&gt;</a>
<span class="moz-txt-citetags">&gt; </span>Cc: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:security-dev@lists.jboss.org">security-dev@lists.jboss.org</a>
<span class="moz-txt-citetags">&gt; </span>Sent: Monday, January 7, 2013 12:58:01 PM
<span class="moz-txt-citetags">&gt; </span>Subject: Re: [security-dev] SHA salted passwords
<span class="moz-txt-citetags">&gt; </span>
<span class="moz-txt-citetags">&gt; </span>
<span class="moz-txt-citetags">&gt; </span>
<span class="moz-txt-citetags">&gt; </span>
<span class="moz-txt-citetags">&gt; </span>-- 
<span class="moz-txt-citetags">&gt; </span>"The measure of a man is what he does with power" - Plato
<span class="moz-txt-citetags">&gt; </span>-
<span class="moz-txt-citetags">&gt; </span>@abstractj
<span class="moz-txt-citetags">&gt; </span>-
<span class="moz-txt-citetags">&gt; </span>Volenti Nihil Difficile
<span class="moz-txt-citetags">&gt; </span>
<span class="moz-txt-citetags">&gt; </span>
<span class="moz-txt-citetags">&gt; </span>
<span class="moz-txt-citetags">&gt; </span>On Monday, January 7, 2013 at 12:18 PM, Anil Saldhana wrote:
<span class="moz-txt-citetags">&gt; </span>
</pre>
              <blockquote type="cite" style="color: #C0C0C0;">
                <pre wrap=""><span class="moz-txt-citetags">&gt;&gt; </span>Having a PlainTextPassword and EncodedPassword separation at the class level is good. It clearly tells the user/developer what type of password is being stored. But if he chooses PTP, should we do the default salting/hashing in the background? The EncodedPassword can allow configuration of salting/hashing mechanisms.
<span class="moz-txt-citetags">&gt;&gt; </span>
<span class="moz-txt-citetags">&gt;&gt; </span>We should not at any cost save plain text passwords in the tables.
</pre>
              </blockquote>
              <pre wrap=""><span class="moz-txt-citetags">&gt; </span>+1 and maybe for a while we could refactor PlainTextPassword to EncodedPassword and avoid some misunderstanding.
<span class="moz-txt-citetags">&gt; </span>
<span class="moz-txt-citetags">&gt; </span>Makes sense?
</pre>
              <blockquote type="cite" style="color: #C0C0C0;">
                <pre wrap=""><span class="moz-txt-citetags">&gt;&gt; </span>
<span class="moz-txt-citetags">&gt;&gt; </span>Wdyt?
<span class="moz-txt-citetags">&gt;&gt; </span>
<span class="moz-txt-citetags">&gt;&gt; </span>
<span class="moz-txt-citetags">&gt;&gt; </span>On 01/07/2013 08:14 AM, Pedro Igor Silva wrote:
</pre>
                <blockquote type="cite" style="color: #C0C0C0;">
                  <pre wrap=""><span class="moz-txt-citetags">&gt;&gt;&gt; </span>Yeah, the class name is not good and leads to confusion. Today you do not need any extra code to get encoded passwords. The code you pointed out is already doing that: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://github.com/picketlink/TODO/blob/master/server/src/main/java/org/aerogear/todo/server/security/register/RegistrationEndpoint.java#L85">https://github.com/picketlink/TODO/blob/master/server/src/main/java/org/aerogear/todo/server/security/register/RegistrationEndpoint.java#L85</a> Behind the scenes it is using SHA-512 and a SecureRandom-1024 salt. Unfortunately, you can not change such configuration for now. Regards. Pedro Igor ----- Original Message ----- From: "Bruno Oliveira" <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:bruno@abstractj.org">&lt;bruno@abstractj.org&gt;</a> (<a moz-do-not-send="true" class="moz-txt-link-freetext" href="mai!
 lt%21%0A%2
0o:%21%0A%2%0A0bruno@abst%0Aractj.org">mailto:bruno@abstractj.org</a>) To: "Pedro Igor Silva" <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:psilva@redhat.com">&lt;psilva@redhat.com&gt;</a> (<a moz-do-not-send="true" class="moz-txt-link-freetext" href="mailto:psilva@redhat.com">mailto:psilva@redhat.com</a>) Cc: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:security-dev@lists.jboss.org">security-dev@lists.jboss.org</a> (<a moz-do-not-send="true" class="moz-txt-link-freetext" href="mailto:security-dev@lists.jboss.org">mailto:security-dev@lists.jboss.org</a>) Sent: Monday, January 7, 2013 11:49:08 AM Subject: Re: [security-dev] SHA salted passwords Hi Pedro, maybe the class name led me to some confusion and I missed the real concept here. So, the PlainTextPassword can be used to store encoded password which algorithm will be used behind!
</pre>
                </blockquote>
              </blockquote>
              <pre wrap=""><span class="moz-txt-citetags">&gt; </span> the scen
<span class="moz-txt-citetags">&gt; </span>es? Which extra code is necessary to have encoded passwords on PicketLink? Could you please provide some example? +1 on EncodedPassword class. 
</pre>
              <blockquote type="cite" style="color: #C0C0C0;">
                <blockquote type="cite" style="color: #C0C0C0;">
                  <pre wrap=""><span class="moz-txt-citetags">&gt;&gt;&gt; </span>-- "The measure of a man is what he does with power" - Plato - @abstractj - Volenti Nihil Difficile On Monday, January 7, 2013 at 10:20 AM, Pedro Igor Silva wrote: 
<span class="moz-txt-citetags">&gt;&gt;&gt; </span>
</pre>
                  <blockquote type="cite" style="color: #C0C0C0;">
                    <blockquote type="cite" style="color: #C0C0C0;">
                      <pre wrap=""><span class="moz-txt-citetags">&gt;&gt;&gt;&gt;&gt; </span>Actually, passwords are not stored in plain text by default. The PlainTextPassword is used to store both encoded and plain text passwords. &gt; &gt; Maybe we can change the API to better indicate whether you want to use encoded passwords or not. Something like this: &gt; &gt; Encoded : this.identityManager.updateCredential(user, new EncodedPassword(request.getPassword())); &gt; &gt; Plain Text: this.identityManager.updateCredential(user, new PlainTextPassword(request.getPassword())); &gt; &gt; Where for the EncodedPassword type you can specify the different configurations for the encoding such as supported algorithms, salt, etc. &gt; &gt; ----- Original Message ----- &gt; From: "Bruno Oliveira" <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:bruno@abstractj.org%28mailto:bruno@abstractj.org%29">&lt;bruno@abstractj.org (mailto:bruno@abstractj.org)&gt;</a> (<a moz-!
 do-not-sen
d="true" moz-do!="" -not-send="true" moz-do-n!="" ot-send="t
rue" class="moz-txt-link-freetext" href="mailto:bruno@abstractj.org%28mailto:bruno@abstractj.org%29">mailto:bruno@abstractj.org%28mailto:bruno@abstractj.org%29</a>) &gt; To: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:security-dev@lists.jboss.org">security-dev@lists.jboss.org</a> (<a moz-do-not-send="true" class="moz-txt-link-freetext" href="mailto:security-dev@lists.jboss.org">mailto:security-dev@lists.jboss.org</a>) (<a moz-do-not-send="true" class="moz-txt-link-freetext" href="mailto:security-dev@lists.jboss.org">mailto:security-dev@lists.jboss.org</a>) &gt; Sent: Monday, January 7, 2013 7:49:58 AM &gt; Subject: [security-dev] SHA salted passwor!
</pre>
                    </blockquote>
                  </blockquote>
                </blockquote>
              </blockquote>
              <pre wrap=""><span class="moz-txt-citetags">&gt; </span>ds &gt; &gt; Go
<span class="moz-txt-citetags">&gt; </span>od morning everyone. &gt; &gt; I'm planning to upgrade AeroGear to PicketLink, looking at the examples looks like the passwords will be stored in plain text &gt; (<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://github.com/picketlink/TODO/blob/master/server/src/main/java/org/aerogear/todo/server/security/register/RegistrationEndpoint.java#L85">https://github.com/picketlink/TODO/blob/master/server/src/main/java/org/aerogear/todo/server/security/register/RegistrationEndpoint.java#L85</a>). &gt; &gt; I was just wondering if ShaSaltedPasswordHash (<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://github.com/picketlink/picketlink/blob/master/idm/impl/src/main/java/org/picketlink/idm/password/internal/SHASaltedPasswordHash.java#L13">https://github.com/picketlink/picketlink/blob/master/idm/impl/src/main/java/org/picketlink/idm/password/internal/SHASaltedPasswordHash.java#L13</a>) &gt; could replace !
 PlainTextP
assword in this example, because I don't want to provide examples to our users with passwords stored in plain text. &gt; &gt; Is it possible? &gt; &gt; &gt; -- &gt; "The measure of a man is what he does with power" - Plato &gt; - &gt; @abstractj &gt; - &gt; Volenti Nihil Difficile &gt; &gt; &gt; &gt; _______________________________________________ &gt; security-dev mailing list &gt; <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:security-dev@lists.jboss.org">security-dev@lists.jboss.org</a> (<a moz-do-not-send="true" class="moz-txt-link-freetext" href="mailto:security-dev@lists.jboss.org">mailto:security-dev@lists.jboss.org</a>) (<a moz-do-not-send="true" class="moz-txt-link-freetext" href="mailto:security-dev@lists.jboss.org">mailto:security-dev@lists.jboss.org</a>) &gt; <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.jboss.org">https://lists.jboss.org</a>!
</pre>
            </blockquote>
            <pre wrap=""> /m!
</pre>
            <blockquote type="cite" style="color: #C0C0C0;">
              <pre wrap=""><span class="moz-txt-citetags">&gt; </span>ailman/li
<span class="moz-txt-citetags">&gt; </span>stinfo/security-dev 
</pre>
              <blockquote type="cite" style="color: #C0C0C0;">
                <blockquote type="cite" style="color: #C0C0C0;">
                  <pre wrap=""><span class="moz-txt-citetags">&gt;&gt;&gt; </span>
<span class="moz-txt-citetags">&gt;&gt;&gt; </span>_______________________________________________ security-dev mailing list <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:security-dev@lists.jboss.org">security-dev@lists.jboss.org</a> (<a moz-do-not-send="true" class="moz-txt-link-freetext" href="mailto:security-dev@lists.jboss.org">mailto:security-dev@lists.jboss.org</a>) <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/security-dev">https://lists.jboss.org/mailman/listinfo/security-dev</a>
</pre>
                </blockquote>
                <pre wrap=""><span class="moz-txt-citetags">&gt;&gt; </span>
<span class="moz-txt-citetags">&gt;&gt; </span>
<span class="moz-txt-citetags">&gt;&gt; </span>_______________________________________________
<span class="moz-txt-citetags">&gt;&gt; </span>security-dev mailing list
<span class="moz-txt-citetags">&gt;&gt; </span><a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:security-dev@lists.jboss.org">security-dev@lists.jboss.org</a> (<a moz-do-not-send="true" class="moz-txt-link-freetext" href="mailto:security-dev@lists.jboss.org">mailto:security-dev@lists.jboss.org</a>)
<span class="moz-txt-citetags">&gt;&gt; </span><a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/security-dev">https://lists.jboss.org/mailman/listinfo/security-dev</a>
</pre>
              </blockquote>
              <pre wrap=""><span class="moz-txt-citetags">&gt; </span>
<span class="moz-txt-citetags">&gt; </span>
<span class="moz-txt-citetags">&gt; </span>
<span class="moz-txt-citetags">&gt; </span>_______________________________________________
<span class="moz-txt-citetags">&gt; </span>security-dev mailing list
<span class="moz-txt-citetags">&gt; </span><a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:security-dev@lists.jboss.org">security-dev@lists.jboss.org</a>
<span class="moz-txt-citetags">&gt; </span><a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/security-dev">https://lists.jboss.org/mailman/listinfo/security-dev</a>
<span class="moz-txt-citetags">&gt; </span>
<span class="moz-txt-citetags">&gt; </span>_______________________________________________
<span class="moz-txt-citetags">&gt; </span>security-dev mailing list
<span class="moz-txt-citetags">&gt; </span><a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:security-dev@lists.jboss.org">security-dev@lists.jboss.org</a>
<span class="moz-txt-citetags">&gt; </span><a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/security-dev">https://lists.jboss.org/mailman/listinfo/security-dev</a>
</pre>
            </blockquote>
            <pre wrap="">_______________________________________________
security-dev mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:security-dev@lists.jboss.org">security-dev@lists.jboss.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/security-dev">https://lists.jboss.org/mailman/listinfo/security-dev</a>
</pre>
          </div>
        </blockquote>
        <br>
        <br>
        <fieldset class="mimeAttachmentHeader"></fieldset>
        <br>
        <pre wrap="">_______________________________________________
security-dev mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:security-dev@lists.jboss.org">security-dev@lists.jboss.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/security-dev">https://lists.jboss.org/mailman/listinfo/security-dev</a>
</pre>
      </blockquote>
      <br>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
security-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:security-dev@lists.jboss.org">security-dev@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/security-dev">https://lists.jboss.org/mailman/listinfo/security-dev</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>