[ https://issues.apache.org/jira/browse/OFBIZ-3006?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14041578#comment-14041578 ]
Adam Heath commented on OFBIZ-3006: ----------------------------------- Jacques, SHA1 and MD5 are the same kind of technology; they are both one-way hashes. Either could be used for password-type fields. Originally, it was MD5. I added an ability to have different hashes(I stored the hash type in the database), then added salt ability(as a prefix). The examples given are for password-type fields. As that support has been around for quite a while now, this issue can be closed. Additionally, if you really are concerned about *encrypted* fields not having a salt, then svn trunk now supports such a feature. In the entitymodel definition, you can set encrypt="salt", and the value saved to the database will have a salt pre-pended. Note, that if you do this, then you will not be able to do direct lookups against that value. > entity encrypt columns not using encryption salt value? > ------------------------------------------------------- > > Key: OFBIZ-3006 > URL: https://issues.apache.org/jira/browse/OFBIZ-3006 > Project: OFBiz > Issue Type: Sub-task > Components: framework > Affects Versions: SVN trunk > Reporter: chris snow > Assignee: Adam Heath > > It looks as though no salt data is used when saving encrypted entity data > making the stored data susceptible to dictionary attacks. > If you look through the stored demo data, you can see all the demo accounts > passwords are the same: > {code} > UserLogin: > admin {SHA}47ca69ebb4bdc9ae0adec130880165d2cc05db1a > flexadmin {SHA}47ca69ebb4bdc9ae0adec130880165d2cc05db1a > ... > {code} > As a comparison, if you create a two unix accounts, "ofbiz1" and "ofbiz2" and > set both passwords to "ofbiz" > {code} > ofbiz1:$6$3.mYZg9u$0E...:14524:0:99999:7::: > ofbiz2:$6$MJhYeMqO$Jf...:14524:0:99999:7::: > {code} > You can see that on unix, even though the passwords are the same, the > encrypted values are completely different. > For more information see: > [http://en.wikipedia.org/wiki/Salt_(cryptography)] -- This message was sent by Atlassian JIRA (v6.2#6252)