Re: recent HashCrypt changes, and using salt-based password hashing

Thu, 19 Apr 2012 23:36:19 -0700 

Yes I'm not too inclined too. This could be an option though for more security 
concerned projects...

Jacques

From: "Pierre Smits" <pierre.sm...@gmail.com>

Hi Adam,

How would that be? That would be one per tenant in a multi-tenant setup? I
can imagine in a multi-tenant setup with the db backend not on derby (as we
all recommend) the upgrade/migration aspect can be enormous. Even more so
in a HAFO-setup.

Regards,

Pierre

Op 20 april 2012 01:23 schreef Adam Heath <doo...@brainfood.com> het
volgende:


On 04/19/2012 06:13 PM, Scott Gray wrote:
>
> On 20/04/2012, at 9:49 AM, Adam Heath wrote:
>
>> On 04/19/2012 04:28 PM, Jacques Le Roux wrote:
>>> Looking forward for
>>> https://issues.apache.org/jira/browse/OFBIZ-1151
>>> https://issues.apache.org/jira/browse/OFBIZ-2729
>>> https://issues.apache.org/jira/browse/OFBIZ-3006
>>
>> 2729 doesn't apply for what I am doing.  Here's the list of things
>> that this solves:
>>
>> 1: salt-based UserLogin.currentPassword
>>   (done, I have a fix for the recent issue locally)
>> 2: salt-based CreditCard.cardNumber encrypted value
>>   (s/b done tonight)
>> 3: salt-based EntityKeyStore.keyText
>>   (s/b done tonight)
>> 4: key-encrypting-key for EntityKeyStore.keyText.  The
>> key-encrypting-key will be available somewhere in ${ofbiz.home.dir}.
>>   (need to read java security doco)
>>
>> I've currently rewritten a bunch of EntityCrypto already to fix the
>> issues I posted into the jira issue.  I'm now at the point I can start
>> adding new features.
>>
>> This set of changes I currently have are rather straight forward, just
>> moving code around.  When I finally get around to adding the new
>> features, then there is a very definate chance of breaking stuff.
>
> Please just do your best to ensure backwards compatibility is
maintained.  I can't imagine anything worse than doing an upgrade and
discovering that all my user passwords are no longer valid.

Sure, I've got things done as an array of handlers now(2 current, plus
1 new).

How do we feel about moving EntityKeyStore into a separate database?
It'd improve the security a little bit, and is rather simple to do
with ofbiz.

Reply via email to