Angular-SpringBoot-REST-JWT icon indicating copy to clipboard operation
Angular-SpringBoot-REST-JWT copied to clipboard

Published 20 hours ago verified publisher icon mrin9

changing JWT secret key to random string

Open islamazhar opened this issue 5 years ago • 0 comments

Setting the JWT signing key to small-sized easily guessable weak string like ""mrin"" can make it vulnerable to offline brute-force attack using cracking tools like JohnTheRipper, hashcat, c-jwt-cracker [1]

Therefore, the JWT signing key must be [2]

  • at least 128 bits (16 characters long)
  • cryptographically produced random string having high entropy

I have set the JWT signing key to a cryptographically secure random string so that if anyone uses your code for developing an application, then attackers won't be able to guess the secret key of that application.

References: [1] Weak Token Secret, OWASP JWT cheat-sheet [2] Ensure Cryptographic Keys Have Sufficient Entropy RFC-8725 JSON Web Token Best Current Practices

islamazhar avatar May 19 '20 03:05 islamazhar