[
https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12542952
]
Michael Jensen commented on OFBIZ-1151:
---------------------------------------
One option is to use the same field for the hash, but adding a colon and the
salt to the end of the string. This is the way it would be easy to
distinguished between salted and non-salted passwords and validate accordingly.
I've seen a few projects that store password hashes this way.
The Linux /etc/shadow file also stores the hash and salt in one field (but that
doesn't mean it is best for this situation.)
An alternative could be to just have the salt stored in another field in the
same table and if it isn't empty, the password hash is salted. (You have to
store the salt somewhere anyway.)
> Passwords are not seeded
> ------------------------
>
> Key: OFBIZ-1151
> URL: https://issues.apache.org/jira/browse/OFBIZ-1151
> Project: OFBiz
> Issue Type: Improvement
> Components: party
> Affects Versions: SVN trunk, Release Branch 4.0
> Reporter: Wickersheimer Jeremy
> Assignee: Jacques Le Roux
> Priority: Minor
>
> Password are currently hashed but not seeded which may be a security issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
