From 5c4aee562b7fcb42f10aa62011e0ff6297cee867 Mon Sep 17 00:00:00 2001 From: ac2550 Date: Thu, 22 Mar 2018 17:04:06 +0100 Subject: Remove client usage of md5 Md5 usage introduce a security flow by reducing the amount of test needed for a brute force attack. Change-Id: Ifa4e6259d0a3fb06c91c03d1c67470ddd02284fc Issue-ID: CLAMP-143 Signed-off-by: ac2550 --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'README.md') diff --git a/README.md b/README.md index f9a3414a..d129e5ba 100644 --- a/README.md +++ b/README.md @@ -98,10 +98,10 @@ You can see the swagger definition for the jaxrs apis at `/restservices/clds/v1/ Credentials should be specified in `src/main/resources/clds/clds-users.json`. You might specify you own credential file by redefining the `clamp.config.files.cldsUsers` in `application.properties`. -Passwords should be hashed using md5, then using Bcrypt : +Passwords should be hashed using Bcrypt : ``` # pip3 install bcrypt # if you don't have the bcrypt python lib installed, should be done once. -# python3 -c 'import bcrypt; import hashlib; m = hashlib.md5(); m.update("password".encode()); m.hexdigest(); print(bcrypt.hashpw(m.hexdigest().encode(), bcrypt.gensalt(rounds=10, prefix=b"2a")))' +# python3 -c 'import bcrypt; print(bcrypt.hashpw("password".encode(), bcrypt.gensalt(rounds=10, prefix=b"2a")))' ``` Default credentials are admin/password and cs0008/password. -- cgit 1.2.3-korg