Jacques,I have no time to think about it more so I would prefer to create a Jira, provide a patch and wait a few days for people to review.
I see no need to hurry with this issue. Thanks, Michael Am 08.12.16 um 10:01 schrieb Jacques Le Roux:
OK, nobody expressed a concern so I'll apply a lazy consensus and implement "SHA-512 and increase PBKDF2_ITERATIONS to 10 000"Else please express your concern now before I create a Jira for that Thanks Jacques Le 05/12/2016 à 16:38, Jacques Le Roux a écrit :Thanks Jinghai, indeed Argon does not seems to be implemented in available JDKs, maybe later...Jacques Le 05/12/2016 à 15:48, Shi Jinghai a écrit :Hi Jacques,Personally I'd prefer PBKDF2 rather than Argon, because the encrypt of PBKDF2 is done by JDK, I don't know whether Argon has been supported by JDK.Kind Regards, Shi Jinghai -----邮件原件----- 发件人: Jacques Le Roux [mailto:jacques.le.r...@les7arts.com] 发送时间: 2016年12月5日 22:24 收件人: dev@ofbiz.apache.org 抄送: gregory draperi 主题: Replace password encryption SHA-1 by SHA-512 Hi,At https://issues.apache.org/jira/browse/OFBIZ-8537 Junyuan has contributed a new PBDKF2_SHA* one way encryption for passwordAt http://svn.apache.org/viewvc?rev=1772589&view=rev Jinghai has committed it, I made few remarks on this commit, one of this comment was also discussed in the Jira by Pierre and Michael. It's about using PBDKF2 OOTB.After reading https://cryptosense.com/parameter-choice-for-pbkdf2/ I think we should replace our current SHA1 default implementation by SHA-512 and increase PBKDF2_ITERATIONS to 10 000We should also provide new PBDKF2_SHA1 password data.As suggested by the article above, another step would be to use Argon https://password-hashing.net/What do you think? Jacques
smime.p7s
Description: S/MIME Cryptographic Signature