[DIRSERVER-1088] Do not cache plain text passwords in credential cache or in LdapPrincipal - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 1.5.0, 1.5.1
Fix Version/s: 1.5.4
Component/s: core
Labels:
None

Description

It's really not a good idea to cache plain text passwords in memory which can easily be comprimised with memory readers to enable password theft. The best thing to do here in the short term is to disable caching if the password is plaintext.

If caching is still desired then a temp key generated at startup can be used to encrypt and decrypt plain text password when put into memory. Perhaps this is the best option which still keeps performance.

Attachments

Activity

People

Assignee:: Emmanuel Lécharny

Reporter:: Alex Karasulu

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 15/Oct/07 13:29

Updated:: 15/Feb/09 19:36

Resolved:: 02/Sep/08 14:40