Details
-
Bug
-
Resolution: Done
-
Critical
-
PLINK_2.5.0.Final
-
None
Description
Actually salt generation in PasswordCredentialEncoder is not secure and is unusable as it always generate same value for salt. It's because PasswordCredentialEncoder is always returning new instance of SecureRandom with static value of seed, which means that it always return same salt with value 8045985940433151156 (my platform is Sun JDK6, Ubuntu 12.10)
See this example application (During testing, I've temporarily added this piece of code directly to class PasswordCredentialHandler):
public static void main(String[] args) { PasswordCredentialHandler passwordCredHandler = new PasswordCredentialHandler(); for (int i=0 ; i<3 ; i++) { String salt = passwordCredHandler.generateSalt(); System.out.println("Generated" + i + ": " + salt); } }
The output of the application will be:
Generated0: 8045985940433151156 Generated1: 8045985940433151156 Generated2: 8045985940433151156