24 Aug
2010
24 Aug
'10
11:01 p.m.
Base64 is a standard way of storing encrypted content. It could be changed to base128 but
it would include
a large number of non printing characters such as backspace. Any base over base128 would
be interpreted as
invalid UTF-8 and cause errors in the database. Also The size of the encoded data is well
over the 256
character limit and doubling the base only cuts off less than 1/3 of the number of
characters needed so I
don't think even base128 would be enough to make the password functions fit in a 255
char string.
Another option would be to add a binary byte[] property but that would complicate the
process even further.
Caleb
Marius Dumitru Florea wrote:
On 08/10/2010 08:45 PM, Caleb James DeLisle wrote:
Because protectPassword generates a base-64
encoded java serialized form, the size is quite a bit larger than
the 255 character limit of StringProperty and thus PasswordProperty.
What is the real reason for using base-64 encoding? Why not using a
larger base? You convert the serialized bytes anyway.
The use of java serialization is central to the
upgradability of the password verification function because
any new class which implements PasswordVerificationFunction automatically works.
This doesn't explain why you need to store the serialized instance of a
PasswordVerificationFunction implementation as a base-64 string.
Thanks,
Marius
Given this, I want to migrate the database to
move password hashes into the xwikilargestrings table and change
PasswordProperty to extend LargeStringProperty. During this migration, any passwords
still stored in plaintext
will be ported to the scrypt function, passwords stored as a hash will have an
exclamation mark pretended to the
text (this is invalid base64) and be inserted into the table as is.
PasswordClass will keep the sha-512 hash function for legacy passwords but will port
passwords to the new format
as users log in.
These changes will allow us to close
http://jira.xwiki.org/jira/browse/XWIKI-70
and
http://jira.xwiki.org/jira/browse/XWIKI-582
WDYT?
Caleb
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs