Also if you were wearing an aluminium foil hat you may also be concerned about how the password is sent to the server.
Again though, see previous "I am not a security guy" comment and helpful link from Jonathan confirming that statement :) Cheers ----------------- Aaron Morton Freelance Cassandra Developer @aaronmorton http://www.thelastpickle.com On 19/05/2011, at 1:19 AM, Ted Zlatanov <t...@lifelogs.com> wrote: > On Tue, 17 May 2011 15:52:22 -0700 Sameer Farooqui <cassandral...@gmail.com> > wrote: > > SF> Would still be nice though to use the bcrypt hash over MD5 for stronger > SF> security. > > I used MD5 when I proposed SimpleAuthenticator for two reasons: > > 1) SimpleAuthenticator is supposed to be a demo of the authentication > interface. It can be used for testing and trivial setups, but I > wouldn't use it in production. So it's meant to get you going easily, > not to serve you long-term. > > 2) MD5 is built into Java. At the time, bcrypt and SHA-* were not. I > used MD5 only so the passwords are not stored in the clear, not to > provide production-level security. > > You should consider carefully the implications of storing passwords in a > file on a database server, no matter how they are encrypted. It would > be better to write a trivial AD/LDAP/etc. authenticator that fits your > specific needs and doesn't rely on a local file. > > Ted >
