[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13472521#comment-13472521 ]
Adam Heath commented on OFBIZ-1151: ----------------------------------- Technically, *any* hard-coded value, even hashed, in the seed data is bad. It'd be nice to get different per-install salt+hash values in the database. However, the only way to do that would be to store the non-hashed passwords in seed, and salt+hash them during store. That would require a change to the xml data loader. I haven't done any of this, am just brainstorming. If we do not go this route, then each stored hashed value should be changed to a *different* salt+hash value. There is a simple main(String[]) command in the repo that can facilitate this. > Passwords are not salted > ------------------------ > > Key: OFBIZ-1151 > URL: https://issues.apache.org/jira/browse/OFBIZ-1151 > Project: OFBiz > Issue Type: Sub-task > Components: party > Affects Versions: Release Branch 4.0, SVN trunk > Reporter: Wickersheimer Jeremy > Assignee: Adam Heath > Priority: Minor > > Password are currently hashed but not seeded which may be a security issue. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira