Apache Directory Project - [jira] Created: (DIRSERVER-1088) Do not cache plain text passwords

This is Interesting: Free IT Magazines  
Home > Archive > Apache Directory Project > October 2007 > [jira] Created: (DIRSERVER-1088) Do not cache plain text passwords





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author [jira] Created: (DIRSERVER-1088) Do not cache plain text passwords
Alex Karasulu (JIRA)

2007-10-15, 1:11 pm

Do not cache plain text passwords in credential cache or in LdapPrincipal
-------------------------------------------------------------------------

Key: DIRSERVER-1088
URL: https://issues.apache.org/jira/browse/DIRSERVER-1088
Project: Directory ApacheDS
Issue Type: Bug
Components: core
Affects Versions: 1.5.0, 1.5.1
Reporter: Alex Karasulu
Fix For: 1.5.2


It's really not a good idea to cache plain text passwords in memory which can easily be comprimised with memory readers to enable password theft. The best thing to do here in the short term is to disable caching if the password is plaintext.

If caching is still desired then a temp key generated at startup can be used to encrypt and decrypt plain text password when put into memory. Perhaps this is the best option which still keeps performance.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com