[OWASP-ESAPI] About owasp-esapi-java

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Thu May 21 16:05:30 EDT 2009

The HashIterations value is a form of key strengthening [1]. Am I alone in thinking this value should be 1 (essentially off) by default? I'm not suggesting hashing is expensive as search, but I think people would not like the performance results of this feature. After all, it's intended to be slow. 
[1] http://en.wikipedia.org/wiki/Key_strengthening


4. There's a HashIterations property key in ESAPI.properties. But this isn't used in org.owasp.esapi.reference.JavaEncyptor's hash method. Instead there's a hardcoded 1024.

Good catch. This has been fixed so the hash iterations are configurable now.  Thanks!




-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090521/9e6bbfca/attachment.html 

More information about the OWASP-ESAPI mailing list