[
https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12513177
]
Wickersheimer Jeremy edited comment on OFBIZ-1151 at 7/17/07 1:05 AM:
----------------------------------------------------------------------
Yes,
The nabble link is the problem exactly. Someone proposed to salt the passwords
which is what should be done.
The modification would be trivial really.
- When you store a password you generate a random salt
- Then you store in the DB two fields : the "salt" (hash of a randow string),
and the "hashed(salt+password)"
When you check a password, you just need to readd the salt before hashing and
comparing to the DB.
You can also concatenate the salt and hashed(salt+pass) in one field because
both have predefined size.
was:
PS: the second link is the problem exactly. Someone proposed to salt the
passwords which is what should be done.
The modification would be trivial really.
- When you store a password you generate a random salt
- Then you store in the DB two fields : the "salt" (hash of a randow string),
and the "hashed(salt+password)"
When you check a password, you just need to readd the salt before hashing and
comparing to the DB.
You can also concatenate the salt and hashed(salt+pass) in one field because
both have predefined size.
> Passwords are not seeded
> ------------------------
>
> Key: OFBIZ-1151
> URL: https://issues.apache.org/jira/browse/OFBIZ-1151
> Project: OFBiz
> Issue Type: Improvement
> Components: party
> Affects Versions: SVN trunk, Release Branch 4.0
> Reporter: Wickersheimer Jeremy
> Priority: Minor
>
> Password are currently hashed but not seeded which may be a security issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
