Return-Path: <notifications-return-7072-archive-asf-public=cust-asf.ponee.io@ofbiz.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id B82F7200BDF
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Sun, 18 Dec 2016 18:46:59 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id B6C0C160B30; Sun, 18 Dec 2016 17:46:59 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 31E36160AF6
	for <archive-asf-public@cust-asf.ponee.io>; Sun, 18 Dec 2016 18:46:59 +0100 (CET)
Received: (qmail 28837 invoked by uid 500); 18 Dec 2016 17:46:58 -0000
Mailing-List: contact notifications-help@ofbiz.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:notifications-help@ofbiz.apache.org>
List-Unsubscribe: <mailto:notifications-unsubscribe@ofbiz.apache.org>
List-Post: <mailto:notifications@ofbiz.apache.org>
List-Id: <notifications.ofbiz.apache.org>
Reply-To: dev@ofbiz.apache.org
Delivered-To: mailing list notifications@ofbiz.apache.org
Received: (qmail 28828 invoked by uid 99); 18 Dec 2016 17:46:58 -0000
Received: from arcas.apache.org (HELO arcas) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 18 Dec 2016 17:46:58 +0000
Received: from arcas.apache.org (localhost [127.0.0.1])
	by arcas (Postfix) with ESMTP id 50E6A2C0086
	for <notifications@ofbiz.apache.org>; Sun, 18 Dec 2016 17:46:58 +0000 (UTC)
Date: Sun, 18 Dec 2016 17:46:58 +0000 (UTC)
From: "Jacques Le Roux (JIRA)" <jira@apache.org>
To: notifications@ofbiz.apache.org
Message-ID: <JIRA.13028991.1482083202000.548475.1482083218326@Atlassian.JIRA>
In-Reply-To: <JIRA.13028991.1482083202000@Atlassian.JIRA>
References: <JIRA.13028991.1482083202000@Atlassian.JIRA> <JIRA.13028991.1482083202656@arcas>
Subject: [jira] [Created] (OFBIZ-9150) Create a tool to hashes all our OOTB
 passwords using PBKDF2_SHA512
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Sun, 18 Dec 2016 17:46:59 -0000

Jacques Le Roux created OFBIZ-9150:
--------------------------------------

             Summary: Create a tool to hashes all our OOTB passwords using PBKDF2_SHA512
                 Key: OFBIZ-9150
                 URL: https://issues.apache.org/jira/browse/OFBIZ-9150
             Project: OFBiz
          Issue Type: Sub-task
          Components: framework
            Reporter: Jacques Le Roux
            Priority: Minor


Currently we use SHA1 for our OOTB passwords hashes and they are not salted.  If you create new passwords they will still use SHA1 but they will be salted, which is good.

But we should better provide SHA-512 OOTB hashes instead of SHA-1. And use SHA-512 as default encrypting method (even for fields), with at least 10 000 iterations, to lead our users to the best solution.

We should also provide a simple and easy documentation about that. So far we have this discussion http://markmail.org/message/yqybsqzigrqbyxgf
I suggest to improve/enhance https://cwiki.apache.org/confluence/display/OFBIZ/How+to+secure+your+deployment



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)