[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12513177 ]
Wickersheimer Jeremy edited comment on OFBIZ-1151 at 7/17/07 1:05 AM: ---------------------------------------------------------------------- Yes, The nabble link is the problem exactly. Someone proposed to salt the passwords which is what should be done. The modification would be trivial really. - When you store a password you generate a random salt - Then you store in the DB two fields : the "salt" (hash of a randow string), and the "hashed(salt+password)" When you check a password, you just need to readd the salt before hashing and comparing to the DB. You can also concatenate the salt and hashed(salt+pass) in one field because both have predefined size. was: PS: the second link is the problem exactly. Someone proposed to salt the passwords which is what should be done. The modification would be trivial really. - When you store a password you generate a random salt - Then you store in the DB two fields : the "salt" (hash of a randow string), and the "hashed(salt+password)" When you check a password, you just need to readd the salt before hashing and comparing to the DB. You can also concatenate the salt and hashed(salt+pass) in one field because both have predefined size. > Passwords are not seeded > ------------------------ > > Key: OFBIZ-1151 > URL: https://issues.apache.org/jira/browse/OFBIZ-1151 > Project: OFBiz > Issue Type: Improvement > Components: party > Affects Versions: SVN trunk, Release Branch 4.0 > Reporter: Wickersheimer Jeremy > Priority: Minor > > Password are currently hashed but not seeded which may be a security issue. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.