Hi to all, if I understand correctly it's enough to use the encrypt attribute on the password fields.
for example in PaymentGatewayPayfloPro could be : <field name="pwd" type="short-varchar" encrypt="true"> Have I understood correctly ? Thanks Marco > > On Apr 14, 2009, at 1:57 PM, Jacques Le Roux wrote: > > > From: "David E Jones" <david.jo...@hotwaxmedia.com> > >> On Apr 14, 2009, at 11:21 AM, Jacques Le Roux wrote: > >> > >>> From: "Ashish Vijaywargiya" <ashish.vijaywarg...@hotwaxmedia.com> > >>> Hello Marco, > >>> > >>> Thanks for your wonderful work in this area. > >>> I truly appreciate your efforts. > >>> > >>> Here are few thoughts / comments : > >>> > >>> 1) We are saving password as it is. > >>> https://localhost:8443/accounting/control/ViewGatewayConfiguration?paymentGatewayConfigId=PAYFLOWPRO_CONFIG > >>> I think we should encrypt the password before saving it to > >>> database and > >>> will not show the password as it is while fetching it from database. > >>> Thoughts ? > >>> > >>> +1, using what we already use (also SHA that should be salted at > >>> some point in the future) > >> > >> These are all good changes, so thanks to Jacques and especially > >> Ashish for the comments. > >> > >> For the gateway password encryption we'll want to use the Entity > >> Engine's built-in two-way encryption. We can't use SHA/hash > >> encryption because we have to be able to decrypt these passwords > >> to send them to the payment gateway (ie they would never accept a > >> hashed form of the password, that is a big security hole and > >> basically nullifies most of the benefit of the hash, which is why > >> by default we don't allow that in OFBiz either). > >> > >> -David > > > > Hi David, > > > > I understand that we need a 2 ways encryption for a payment gateway. > > But about SHA I'm not quite sure to understand. SHA means Secure > > Hash Algorithm, so why do you add /ash after SHA ? > > I know we use SHA for login password, so I'm no sure of what you > > mean. Do you mean that we should not use salted SHA in OFBiz at all ? > > SHA is a hash algorithm, but there are other hash algorithms and that > is why I wrote "SHA/hash". > > My main point is that a normal password hash algorithm is not relevant > here as it can't be used when 2-way encryption is needed, that's all. > > -David > >