ofbiz-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jacques Le Roux <jacques.le.r...@les7arts.com>
Subject Replace password encryption SHA-1 by SHA-512
Date Mon, 05 Dec 2016 14:24:25 GMT

At https://issues.apache.org/jira/browse/OFBIZ-8537 Junyuan has contributed a new PBDKF2_SHA*
one way encryption for password

At http://svn.apache.org/viewvc?rev=1772589&view=rev Jinghai has committed it, I made
few remarks on this commit, one of this comment was also 
discussed in the Jira by Pierre and Michael. It's about using PBDKF2 OOTB.

After reading https://cryptosense.com/parameter-choice-for-pbkdf2/ I think we should replace
our current SHA1 default implementation by SHA-512 and 
increase PBKDF2_ITERATIONS to 10 000

We should also provide new PBDKF2_SHA1 password data.

As suggested by the article above, another step would be to use Argon https://password-hashing.net/

What do you think?


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message