[CWD-2810] Support bcrypt password encoding

Type: Suggestion
Resolution: Fixed
Fix Version/s: 2.5
Component/s: None
Labels:
None

Feedback Policy:

Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

bcrypt provides an algorithm that requires extensive, tunable work to test a password, making it resistant to brute-force password cracking. Crowd should include it.

Katherine Yabut made changes - 19/Sep/2019 5:50 AM

Workflow	Original: JAC Suggestion Workflow [ 3388186 ]	New: JAC Suggestion Workflow 3 [ 3626735 ]
Status	Original: RESOLVED [ 5 ]	New: Closed [ 6 ]

Monique Khairuliana (Inactive) made changes - 19/Aug/2019 11:53 PM

Workflow	Original: Simplified Crowd Development Workflow v2 [ 1389941 ]	New: JAC Suggestion Workflow [ 3388186 ]
Issue Type	Original: Improvement [ 4 ]	New: Suggestion [ 10000 ]

Owen made changes - 12/May/2016 2:51 AM

Workflow

Original: Crowd Development Workflow v2 [ 379326 ]

New: Simplified Crowd Development Workflow v2 [ 1389941 ]

Caspar Krieger (Inactive) added a comment - 25/Feb/2014 3:04 AM

I know you've already gotten an answer to this question on another issue, but for the benefit of those who come after, yes, you are correct, and you can read CWD-3812 if you're interested what "compatibility" means.

Caspar Krieger (Inactive) added a comment - 25/Feb/2014 3:04 AM I know you've already gotten an answer to this question on another issue, but for the benefit of those who come after, yes, you are correct, and you can read CWD-3812 if you're interested what "compatibility" means.

prdonahue added a comment - 25/Feb/2014 1:05 AM

Great, thanks. So if I set up Crowd and have passwords created/stored there I should have no problem pointing the following to it?

JIRA
Confluence
CrowdID
Gerrit (via CrowdID)

At least as far as password hashes go?

prdonahue added a comment - 25/Feb/2014 1:05 AM Great, thanks. So if I set up Crowd and have passwords created/stored there I should have no problem pointing the following to it? JIRA Confluence CrowdID Gerrit (via CrowdID) At least as far as password hashes go?

joe added a comment - 25/Feb/2014 1:02 AM

Which incompatibilities exist, specifically?

If you want to move a user database between products, including encrypted passwords, then only ATLASSIAN-SECURITY is supported across all products. If you're using Crowd as a directory server and you're creating and storing passwords only on the Crowd server then bcrypt is an appropriate choice. The current wording is misleading: I've opened CWD-3812 to improve the in-product documentation.

joe added a comment - 25/Feb/2014 1:02 AM Which incompatibilities exist, specifically? If you want to move a user database between products, including encrypted passwords, then only ATLASSIAN-SECURITY is supported across all products. If you're using Crowd as a directory server and you're creating and storing passwords only on the Crowd server then bcrypt is an appropriate choice. The current wording is misleading: I've opened CWD-3812 to improve the in-product documentation.

prdonahue added a comment - 25/Feb/2014 12:53 AM

The install still reads "For compatibility between Atlassian products you must use ATLASSIAN-SECURITY."

Which incompatibilities exist, specifically? We would much prefer to use bcrypt but without more detail don't know if we are setting ourselves up for some sort of major fail.

prdonahue added a comment - 25/Feb/2014 12:53 AM The install still reads "For compatibility between Atlassian products you must use ATLASSIAN-SECURITY." Which incompatibilities exist, specifically ? We would much prefer to use bcrypt but without more detail don't know if we are setting ourselves up for some sort of major fail.

Jeff Turner added a comment - 13/Jun/2012 3:48 AM

Great, thanks.

Jeff Turner added a comment - 13/Jun/2012 3:48 AM Great, thanks.

joe added a comment - 12/Jun/2012 6:52 AM

Hi Jeff.

Our current default (PKCS #5 v2.0) already uses a random salt and a high iteration count, so it's already a secure algorithm. We won't be switching the default: bcrypt is for those who have a strong preference or require interoperability.

joe added a comment - 12/Jun/2012 6:52 AM Hi Jeff. Our current default (PKCS #5 v2.0) already uses a random salt and a high iteration count, so it's already a secure algorithm. We won't be switching the default: bcrypt is for those who have a strong preference or require interoperability.

Jeff Turner added a comment - 12/Jun/2012 6:27 AM

Thanks Joseph for implementing this. I was just reading why bcrypt is better than sha1. Is bcrypt going to be the default?

Jeff Turner added a comment - 12/Jun/2012 6:27 AM Thanks Joseph for implementing this. I was just reading why bcrypt is better than sha1 . Is bcrypt going to be the default?

Assignee:: joe

Reporter:: joe

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 11/Apr/2012 5:22 AM

Updated:: 19/Sep/2019 5:50 AM

Resolved:: 08/Jun/2012 4:29 AM

Details

Description

Attachments

Forms

Activity

Collapse comment: Caspar Krieger (Inactive) added a comment - 25/Feb/2014 3:04 AM

Expand comment: Caspar Krieger (Inactive) added a comment - 25/Feb/2014 3:04 AM

Collapse comment: prdonahue added a comment - 25/Feb/2014 1:05 AM

Expand comment: prdonahue added a comment - 25/Feb/2014 1:05 AM

Collapse comment: joe added a comment - 25/Feb/2014 1:02 AM

Expand comment: joe added a comment - 25/Feb/2014 1:02 AM

Collapse comment: prdonahue added a comment - 25/Feb/2014 12:53 AM

Expand comment: prdonahue added a comment - 25/Feb/2014 12:53 AM

Collapse comment: Jeff Turner added a comment - 13/Jun/2012 3:48 AM

Expand comment: Jeff Turner added a comment - 13/Jun/2012 3:48 AM

Collapse comment: joe added a comment - 12/Jun/2012 6:52 AM

Expand comment: joe added a comment - 12/Jun/2012 6:52 AM

Collapse comment: Jeff Turner added a comment - 12/Jun/2012 6:27 AM

Expand comment: Jeff Turner added a comment - 12/Jun/2012 6:27 AM

People

Dates