-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Jon,
On 1/15/20 4:55 PM, jonmcalexan...@wellsfargo.com.INVALID wrote: > -----Original Message----- From: Mark Thomas <ma...@apache.org> > Sent: Wednesday, January 15, 2020 3:42 PM To: > users@tomcat.apache.org Subject: Re: Tomcat Digest Algorithm > question > > On 15/01/2020 21:03, jonmcalexan...@wellsfargo.com.INVALID wrote: >> Is there a list of compliant algorithms supported when using >> Digest for passwords in the user database realm? >> >> I know it supports MD5 and SHA, but both of these are weak. Does >> this support SHA-256, SHA-512, SHA3, etc.? > >> It supports any digest supported by the JRE you are using. > >> Mark > > <snip> > > Thank You! What Mark did not say was that you shouldn't be using any of these. You should be using PBKDF2 (which is supported by Tomcat) or bcrypt or something like that. If you are using one of the old, weak algorithms, it's possible to configure Tomcat (and your web application) to upgrade everybody. I have a presentation on this topic here: https://tomcat.apache.org/presentations.html#latest-credential-security - -chris PS: In case anyone was curious, the actual end of SHA1 began this week with this publication: https://eprint.iacr.org/2020/014.pdf -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4g/noACgkQHPApP6U8 pFh3Kw/9FrzRsYZBUVx5+5J/r3yobumTfroy5p1BjpvLyalLuCjIEH9WvFGJLrFn NoGcPTsWYAlMH4RllZ8Ncso5l8vQWxXxyGkRINKicC/Tq/Ln7jEA5CEgWgbSxmZy Ls4DveIYsGpCuW6z1o/ODGIRPbywLN+unF5K2jeqnUZgxzMmQ90Sk82+YchWXKlP 9soN6MwAn2GXIXyUD3bUWmhWTnDHodKf06E5eT9HbQ/U6OG2XU2K3WoxY0VpP7cw Pk641mwLoo8mL5FqEeUairnKVVmzh6Q+onPq8sbZ2K06ZPuieV3jMhDrPjX3bXR/ OtBhIWoD3a9liNy986uHAfY16luDk4EBptIG7O5NFdeCm+TPWm3YFY4lPWK4ttFB V99b7XtYUTO+rFcbvLmumaifmtKKB2MXAj38yS7vgF+d5y7D8CZXfDOXscRuOGjZ pjZYwhJDrI+58xfLeSXFhUsbaaF6+FOEuTZ/8VpTHa7ZXX928F+Eev0Hm0bBYo/o io5aZA5GqRohCZBaLnnrtBI+broJtmk47xR2GUfobFwb+U6qvzDyzrTGFhE4IMHg ubAVnfIdQChomCbNO13vC6Fo3Pf0jeO29TCv2eNm46hk1iEzW+As5StJzy06KyTe DuOSLcK/oXPDbDe7SGcfJPsCRFRpu905yKGuRPP4vk9Q2o4gkmg= =nfZQ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
