Looking forward for https://issues.apache.org/jira/browse/OFBIZ-1151 https://issues.apache.org/jira/browse/OFBIZ-2729 https://issues.apache.org/jira/browse/OFBIZ-3006
Jacques From: "Adam Heath" <doo...@brainfood.com>
As some may have noticed, I recently changed the way ofbiz creates password hashes when it stores them in the database. Each time a new password is created, a bit of randomness is used, to create a random-length, random-content salt. This is placed at the beginning of the hashed password, stored along with it in the database. Then, when it comes time to compare passwords, the salt is extracted, and used to re-hash. If someone continously changes their password to the same value, you'll end up getting different raw hashed values in the database. It also increases the workload for crackers, and makes rainbow tables much less fruitful. I wrote this change over 2 years ago, in direct response to the jira intrusion that happened.