ofbiz-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jacques Le Roux <jacques.le.r...@les7arts.com>
Subject Re: Replace password encryption SHA-1 by SHA-512
Date Mon, 05 Dec 2016 15:38:29 GMT
Thanks Jinghai, indeed Argon does not seems to be implemented in available JDKs, maybe later...

Jacques


Le 05/12/2016 à 15:48, Shi Jinghai a écrit :
> Hi Jacques,
>
> Personally I'd prefer PBKDF2 rather than Argon, because the encrypt of PBKDF2 is done
by JDK, I don't know whether Argon has been supported by JDK.
>
> Kind Regards,
>
> Shi Jinghai
>
> -----邮件原件-----
> 发件人: Jacques Le Roux [mailto:jacques.le.roux@les7arts.com]
> 发送时间: 2016年12月5日 22:24
> 收件人: dev@ofbiz.apache.org
> 抄送: gregory draperi
> 主题: Replace password encryption SHA-1 by SHA-512
>
> Hi,
>
> At https://issues.apache.org/jira/browse/OFBIZ-8537 Junyuan has contributed a new PBDKF2_SHA*
one way encryption for password
>
> At http://svn.apache.org/viewvc?rev=1772589&view=rev Jinghai has committed it, I
made few remarks on this commit, one of this comment was also discussed in the Jira by Pierre
and Michael. It's about using PBDKF2 OOTB.
>
> After reading https://cryptosense.com/parameter-choice-for-pbkdf2/ I think we should
replace our current SHA1 default implementation by SHA-512 and increase PBKDF2_ITERATIONS
to 10 000
>
> We should also provide new PBDKF2_SHA1 password data.
>
> As suggested by the article above, another step would be to use Argon https://password-hashing.net/
>
> What do you think?
>
> Jacques
>
>
>


Mime
View raw message