[
https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12536103
]
Jonathon Wong commented on OFBIZ-1151:
--------------------------------------
Guido,
> In this case it would increase security, but the seed data passwords would
> become invalid.
The password hashes will certainly need to be recomputed if the new
implementation adds a salt.
In fact, to make brute force attacks even more expensive, the salt can be
changed often (say every time the password hash is accessed) and the password
hash recomputed. If it might take 24 hours for a super-computer to compute the
password from a password hash and its salt, the salt could be changed every 23
hours.
The ability to keep the salt secret in a strong and secure box will certainly
be good. Not very cheap, though. Depends on how strong and how secure the salt
box is.
> Passwords are not seeded
> ------------------------
>
> Key: OFBIZ-1151
> URL: https://issues.apache.org/jira/browse/OFBIZ-1151
> Project: OFBiz
> Issue Type: Improvement
> Components: party
> Affects Versions: SVN trunk, Release Branch 4.0
> Reporter: Wickersheimer Jeremy
> Assignee: Jacques Le Roux
> Priority: Minor
>
> Password are currently hashed but not seeded which may be a security issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
