Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-7282

In the documentation I can read about how password hashing is done in Camunda

    Details

      Description

      AT:

      • I can read about the algorithm (SHA1) used in Camunda
      • I can read about the salt mechanism to prevent rainbowtable/dictionary attacks
      • I can read about how what I need to do to use my custom hashing algorithm

      Remark: Should be reference from the security introduction page

        Issue Links

          Activity

          Hide
          thorben.lindhauer Thorben Lindhauer added a comment -

          Review:

          • target reader should be a person who knows the general topic (i.e. what hashing and salting is, and why it could make sense to exchange the default implementation)
            • remove the general introductions to the topics. An expert will not need them and a novice will likely not unterstand them due to their brevity.
            • If we want to assist novices in understanding the topic, we could link in the introduction to good external resources (e.g. Wikipedia, blog posts)
            • the specs of the default implementation (SHA-1, 16 byte salts) can go into the introduction
          • customization section
            • put more emphasis on the interfaces to be implemented instead of the abstract classes we provide
            • having a camunda.cfg.xml example may be counter-productive for users who don't use that. Perhaps it is better to only mention which configuration property can be set and link to a section that deals with configuration in general (if exists); also create an issue for your improvement idea
          Show
          thorben.lindhauer Thorben Lindhauer added a comment - Review: target reader should be a person who knows the general topic (i.e. what hashing and salting is, and why it could make sense to exchange the default implementation) remove the general introductions to the topics. An expert will not need them and a novice will likely not unterstand them due to their brevity. If we want to assist novices in understanding the topic, we could link in the introduction to good external resources (e.g. Wikipedia, blog posts) the specs of the default implementation (SHA-1, 16 byte salts) can go into the introduction customization section put more emphasis on the interfaces to be implemented instead of the abstract classes we provide having a camunda.cfg.xml example may be counter-productive for users who don't use that. Perhaps it is better to only mention which configuration property can be set and link to a section that deals with configuration in general (if exists); also create an issue for your improvement idea
          Hide
          thorben.lindhauer Thorben Lindhauer added a comment -

          Review:

          • I like the sections about customization
          • The introduction can still be shortened. Assume that users know the topic, but do not know yet how Camunda handles it: there is no need to explain that SHA-1 is considered less secure or that SHA-512 is somewhat considered secure (it is sufficient to say: Camunda uses SHA-512 and versions <= 7.6 use SHA-1) or what a salt is (it is sufficient to say: camunda uses 16-byte per-user salts, generated with SecureRandom).
          Show
          thorben.lindhauer Thorben Lindhauer added a comment - Review: I like the sections about customization The introduction can still be shortened. Assume that users know the topic, but do not know yet how Camunda handles it: there is no need to explain that SHA-1 is considered less secure or that SHA-512 is somewhat considered secure (it is sufficient to say: Camunda uses SHA-512 and versions <= 7.6 use SHA-1) or what a salt is (it is sufficient to say: camunda uses 16-byte per-user salts, generated with SecureRandom).

            People

            • Assignee:
              matthijs.burke Matthijs Burke
              Reporter:
              johannes.heinemann Johannes Heinemann
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development