AnsweredAssumed Answered

Authentication with secure hashing (SHA-1 rather than MD4)

Question asked by dnallsopp on Jul 12, 2012
Latest reply on Jul 13, 2012 by scouil
Hi all,

We are planning an Alfresco deployment which will (at least initially) run on cloud servers. Since we won't have access to the existing directory server, we planned to use the built-in Alfresco authentication subsystem.

However, this uses MD4 hashes, which are easily broken. authentication-services-context.xml says:
        <!– Passwords are encoded using MD4 –>
   <!– This is not ideal and only done to be compatible with NTLM –>
   <!– authentication against the default authentication mechanism. –>

    <bean id="passwordEncoder"
      class="org.alfresco.repo.security.authentication.MD4PasswordEncoderImpl"></bean>
Is there any alternative authentication subsystem for Alfresco that uses a secure hash (SHA-1 or better)?
Is it possible, for example, to replace org.alfresco.repo.security.authentication.MD4PasswordEncoderImpl with a bean providing a more secure implementation?

We don't need CIFS etc, so the NTLM compatibility isn't an issue - I understand this is why Alfresco still uses MD4.

Thanks for any pointers…

Outcomes