topic Authentication with secure hashing (SHA-1 rather than MD4) in Alfresco Archive https://connect.hyland.com/t5/alfresco-archive/authentication-with-secure-hashing-sha-1-rather-than-md4/m-p/265557#M218687 <HTML><HEAD></HEAD><BODY><SPAN>Hi all,</SPAN><BR /><BR /><SPAN>We are planning an Alfresco deployment which will (at least initially) run on cloud servers. Since we won't have access to the existing directory server, we planned to use the built-in Alfresco authentication subsystem.</SPAN><BR /><BR /><SPAN>However, this uses MD4 hashes, which are easily broken. </SPAN><STRONG>authentication-services-context.xml</STRONG><SPAN> says:</SPAN><BR /><PRE class="language-none line-numbers"><CODE>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;!– Passwords are encoded using MD4 –&gt;<BR />&nbsp;&nbsp;&nbsp;&lt;!– This is not ideal and only done to be compatible with NTLM –&gt;<BR />&nbsp;&nbsp;&nbsp;&lt;!– authentication against the default authentication mechanism. –&gt;<BR /><BR />&nbsp;&nbsp;&nbsp; &lt;bean id="passwordEncoder"<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;class="org.alfresco.repo.security.authentication.MD4PasswordEncoderImpl"&gt;&lt;/bean&gt;<SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><SPAN>Is there any alternative authentication subsystem for Alfresco that uses a secure hash (SHA-1 or better)?</SPAN><BR /><SPAN>Is it possible, for example, to replace </SPAN><STRONG>org.alfresco.repo.security.authentication.MD4PasswordEncoderImpl</STRONG><SPAN> with a bean providing a more secure implementation?</SPAN><BR /><BR /><SPAN>We don't need CIFS etc, so the NTLM compatibility isn't an issue - I understand this is why Alfresco still uses MD4.</SPAN><BR /><BR /><SPAN>Thanks for any pointers…</SPAN></BODY></HTML> Thu, 12 Jul 2012 13:15:58 GMT dnallsopp 2012-07-12T13:15:58Z Authentication with secure hashing (SHA-1 rather than MD4) https://connect.hyland.com/t5/alfresco-archive/authentication-with-secure-hashing-sha-1-rather-than-md4/m-p/265557#M218687 Hi all,We are planning an Alfresco deployment which will (at least initially) run on cloud servers. Since we won't have access to the existing directory server, we planned to use the built-in Alfresco authentication subsystem.However, this uses MD4 hashes, which are easily broken. authentication-ser Thu, 12 Jul 2012 13:15:58 GMT https://connect.hyland.com/t5/alfresco-archive/authentication-with-secure-hashing-sha-1-rather-than-md4/m-p/265557#M218687 dnallsopp 2012-07-12T13:15:58Z Re: Authentication with secure hashing (SHA-1 rather than MD4) https://connect.hyland.com/t5/alfresco-archive/authentication-with-secure-hashing-sha-1-rather-than-md4/m-p/265558#M218688 <HTML><HEAD></HEAD><BODY><SPAN>Try having a look at:</SPAN><BR /><A href="http://svn.alfresco.com/repos/alfresco-open-mirror/alfresco/HEAD/root/projects/repository/source/java/org/alfresco/repo/security/authentication/" rel="nofollow noopener noreferrer">http://svn.alfresco.com/repos/alfresco-open-mirror/alfresco/HEAD/root/projects/repository/source/java/org/alfresco/repo/security/authentication/</A><BR /><BR /><SPAN>I don't know more about the systems so maybe you should look into the code itself.</SPAN><BR /><SPAN>Or maybe you'll need to write your own class imitating those but for SHA-1</SPAN></BODY></HTML> Fri, 13 Jul 2012 14:13:43 GMT https://connect.hyland.com/t5/alfresco-archive/authentication-with-secure-hashing-sha-1-rather-than-md4/m-p/265558#M218688 scouil 2012-07-13T14:13:43Z