Hi, At https://issues.apache.org/jira/browse/OFBIZ-8537 Junyuan has contributed a new PBDKF2_SHA* one way encryption for password
At http://svn.apache.org/viewvc?rev=1772589&view=rev Jinghai has committed it, I made few remarks on this commit, one of this comment was also discussed in the Jira by Pierre and Michael. It's about using PBDKF2 OOTB.
After reading https://cryptosense.com/parameter-choice-for-pbkdf2/ I think we should replace our current SHA1 default implementation by SHA-512 and increase PBKDF2_ITERATIONS to 10 000
We should also provide new PBDKF2_SHA1 password data. As suggested by the article above, another step would be to use Argon https://password-hashing.net/ What do you think? Jacques