EntryStore provides the following security measures for storing and transferring credentials:
- Passwords are stored as PBKDF2-hashes with per-user salts.
- All random numbers involved in cryptographic operations are generated using the cryptographically strong SecureRandom class.
- The tokens for cookie-authentication are based on cryptographically strong random numbers and do not have any connection to username or password.
Other security-related information:
- EntryStore can be accessed using HTTPS by using an SSL-enabled Web server and/or reverse proxy.
- It is recommended to redirect HTTP requests to HTTPS.
- It is recommended to use SSL/TLS only with Perfect Forward Secrecy (PFS). Recommended cyper suites can be found at https://wiki.mozilla.org/Security/Server_Side_TLS.
Informing users of changed passwords¶
Whenever the password of a user changes, either through password reset or manually setting the password, the user is informed by email. The following settings can be used to change the subject and body of the email message:
entrystore.auth.password-change.email.subject=Your password has been changed entrystore.auth.password-change.email.template=<path-to-template>
See also the KB entry on Signups for more information on how the templating mechanism works.