Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-70

Safe password storage

    XMLWordPrintable

Details

    • Bug
    • Resolution: Duplicate
    • Critical
    • None
    • 0.9.793
    • Model
    • security
    • Medium
    • N/A
    • N/A

    Description

      Since XWiki uses a simple/single view on all the data, password fields cannot be treated in a special way, so they cannot be excluded from search queries, scripted data access, or search engine indexing. Thus, the passwords should be stored in such a manner that the stored value cannot be used in any way, like the values from /etc/shadow cannot be used.

      So, this meas that password fields should be stored as:

      • plain text (no security)
      • hash (safe, but cannot be reversed) with an optional salt
      • encrypted (safe, as long as the encryption key is safe) with an optional salt

      Attachments

        1. crypt.groovy
          2 kB
          Sergiu Dumitriu
        2. PasswordCrypt.patch
          5 kB
          Sergiu Dumitriu

        Issue Links

          Activity

            People

              tmortagne Thomas Mortagne
              soloturn solo turn
              Votes:
              4 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: