Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-15122

Encrypt passwords sent from login portlet/page to server.

XMLWordPrintable

      Would it be possible to simply encrypt the password sent to the Jira/Confluence server?

      At our organization, we have "ONE SINGLE PASSWORD" for everything (which we are forced to change regularly). Our users expect to use this password everywhere (and Jira/Confluence/etc is integrated into our system via Crowd). Our security team does not like that this one single password is passed across the network in plain text by Jira/Confluence/etc, but would accept the situation if it is encrypted in some way.

      For us, after authentication, encryption is neither desired nor required, nearly all data should be viewable without restriction. However for changes we prefer to know which user made them, eg who added a comment. We would rather not have to use HTTPS for everything since it adds cost in terms of additional installation/configuration and runtime overhead and we already have published URLs and tools that use only HTTP.

      Possible solutions:

      • Implement a separate HTTPS only login page perhaps as part of Crowd?
      • Use a javascript function to make an MD5 (or other) hash using onSubmit() and send that instead? Google found http://pajhome.org.uk/crypt/md5/auth.html as an example.

              idaniel Ian Daniel [Atlassian]
              fbb6b0a5b877 Niall Stapley
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: