[
https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12707707#action_12707707
]
Jacques Le Roux commented on OFBIZ-1151:
----------------------------------------
Maybe we should just provide a salting mechanism with clear explanations. I
mean OFBiz paswords salted OOTB but only as a demonstration and clear
explanations about not only changing passwords (as it's already done for admin
password) but also salt string. Maybe Michael Jensen's idea of colon separating
password and salt could be used ? I also remember the idea of having a salt
string only related to the password at hand (to avoid easy hack if the salt is
discovered by a way or another...), this is also called random salt (the
alternative being static salt). But obviously this introduces a new breach has
you have to store also the random salt. Except if you use a part of the record
only *you*know (for instance a part of the creation date field, etc.)
My 2cts
Jacques
> Passwords are not seeded
> ------------------------
>
> Key: OFBIZ-1151
> URL: https://issues.apache.org/jira/browse/OFBIZ-1151
> Project: OFBiz
> Issue Type: Sub-task
> Components: party
> Affects Versions: Release Branch 4.0, SVN trunk
> Reporter: Wickersheimer Jeremy
> Assignee: Jacques Le Roux
> Priority: Minor
>
> Password are currently hashed but not seeded which may be a security issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
