Hi Jacques, Personally I'd prefer PBKDF2 rather than Argon, because the encrypt of PBKDF2 is done by JDK, I don't know whether Argon has been supported by JDK.
Kind Regards, Shi Jinghai -----邮件原件----- 发件人: Jacques Le Roux [mailto:jacques.le.r...@les7arts.com] 发送时间: 2016年12月5日 22:24 收件人: dev@ofbiz.apache.org 抄送: gregory draperi 主题: Replace password encryption SHA-1 by SHA-512 Hi, At https://issues.apache.org/jira/browse/OFBIZ-8537 Junyuan has contributed a new PBDKF2_SHA* one way encryption for password At http://svn.apache.org/viewvc?rev=1772589&view=rev Jinghai has committed it, I made few remarks on this commit, one of this comment was also discussed in the Jira by Pierre and Michael. It's about using PBDKF2 OOTB. After reading https://cryptosense.com/parameter-choice-for-pbkdf2/ I think we should replace our current SHA1 default implementation by SHA-512 and increase PBKDF2_ITERATIONS to 10 000 We should also provide new PBDKF2_SHA1 password data. As suggested by the article above, another step would be to use Argon https://password-hashing.net/ What do you think? Jacques
