On Wed, 18 May 2011 17:16:28 -0700 Sameer Farooqui
wrote:
SF> But even SSL/TLS is subject to attacks from tools like SSLSNIFF:
SF> http://www.thoughtcrime.org/software/sslsniff
For perfect security, unplug the server and remove the hard drive.
Ted
I am wearing said hat and am freaking out right now :-)
Just kidding and good point. I guess it would be nice if clients like Hector
had an option to use TLS/SSL to encapsulate the application protocol.
But even SSL/TLS is subject to attacks from tools like SSLSNIFF:
http://www.thoughtcrime.org/s
Also if you were wearing an aluminium foil hat you may also be concerned about
how the password is sent to the server.
Again though, see previous "I am not a security guy" comment and helpful link
from Jonathan confirming that statement :)
Cheers
-
Aaron Morton
Freelance Cassand
On Tue, 17 May 2011 15:52:22 -0700 Sameer Farooqui
wrote:
SF> Would still be nice though to use the bcrypt hash over MD5 for stronger
SF> security.
I used MD5 when I proposed SimpleAuthenticator for two reasons:
1) SimpleAuthenticator is supposed to be a demo of the authentication
interface.
If you need it create a ticket on
https://issues.apache.org/jira/browse/CASSANDRA
Aaron
-
Aaron Morton
Freelance Cassandra Developer
@aaronmorton
http://www.thelastpickle.com
On 18 May 2011, at 10:52, Sameer Farooqui wrote:
> Opps, my bad... please ignore the email below. It
Opps, my bad... please ignore the email below. It actually works with the
plain text password (I had forgotten to update the passwd.properties file on
one node which was causing the login to fail).
Example of successful login:
ubuntu@domU-12-31-39-0C-D9-13:~/apache-cassandra-0.8.0-beta1$
bin/cassa
Hey Aaron,
Unfortunately it fails with plaintext password also:
ubuntu@domU-12-31-39-0C-D9-13:~/apache-cassandra-0.8.0-beta1$
bin/cassandra-cli -h ec2-50-19-26-189.compute-1.amazonaws.com -p 9160 -u
jdoe -pw 'nosql' -k MDR Login failure. Did you specify 'keyspace',
'username' and 'password'?
Wel
http://codahale.com/how-to-safely-store-a-password/
On Tue, May 17, 2011 at 3:03 PM, aaron morton wrote:
> Use the plain text password via the cli, the server will make a hash and
> compare it to the one in the file.
> wrt SHA-2 I'm not a security guy but MD5 is probably "good enough" for the
> p
Use the plain text password via the cli, the server will make a hash and
compare it to the one in the file.
wrt SHA-2 I'm not a security guy but MD5 is probably "good enough" for the
problem of storing passwords in plain text in a file.
Hope that helps.
-
Aaron Morton
Freela
By the way, just noticed a typo in my email below. I'm using the correct
keyspace name in all locations on the cluster... however in my examples
below, I used MyKeyspace in some spots and MDR in other spots, but in the
cluster I'm specifying the same keyspace name everywhere, so that's not the
issu
Hi all,
We are trying to use MD5 encrypted passwords. Quick question first - Is
SHA-2 supported yet? US-CERT of the U. S. Department of Homeland Security
has said that MD5 "should be considered cryptographically broken and
unsuitable for further use”, and SHA-2 family of hash functions is
recommen
11 matches
Mail list logo
