[
https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12536099
]
Jonathon Wong commented on OFBIZ-1151:
--------------------------------------
> Replacing the algorithm won't change anything to the problem, and adding a
> salt is not difficult at all. If i have some time i will try to work on it.
I agree. SHA-256 is just as concrete a 1-way hash algo as MD5. Hashing a
certain string will still always predictably produce a certain hash result, so
hackers can easily work backwards to get the password.
The common practice (for a very long time now) is to salt it. In fact,
financial institutions even store the salt somewhere else, somewhere really
safe.
> It is critical to protect those hashes from dictionary attacks by attackers
> who obtained those hashes. ... like anyone using the webtool could do.
But wouldn't webtool also yield the salt as well?
But still, I agree that salting the password would make dictionary attacks
exponentially arduous. For a certain password, it is stored differently (thanks
to random salt) in each instance where it is stored (say 2 or more users happen
to like the same password). Therefore, for each hash stored in the database, an
attack would have to do additional computation (dictionary attack has to be
completely recoded, actually).
For common needs, salting will adequately make dictionary attacks expensive (or
impossible).
It is incredibly easy to do dictionary attacks on un-salted password hashes.
> Passwords are not seeded
> ------------------------
>
> Key: OFBIZ-1151
> URL: https://issues.apache.org/jira/browse/OFBIZ-1151
> Project: OFBiz
> Issue Type: Improvement
> Components: party
> Affects Versions: SVN trunk, Release Branch 4.0
> Reporter: Wickersheimer Jeremy
> Assignee: Jacques Le Roux
> Priority: Minor
>
> Password are currently hashed but not seeded which may be a security issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
