What is the impact?
if people have to re-enter the password then it is not acceptable.
it should be backwards compatible.
Regards,
Hans
On 08/12/16 16:33, Michael Brohl wrote:
Jacques,
I have no time to think about it more so I would prefer to create a
Jira, provide a patch and wait a few days for people to review.
I see no need to hurry with this issue.
Thanks,
Michael
Am 08.12.16 um 10:01 schrieb Jacques Le Roux:
OK, nobody expressed a concern so I'll apply a lazy consensus and
implement "SHA-512 and increase PBKDF2_ITERATIONS to 10 000"
Else please express your concern now before I create a Jira for that
Thanks
Jacques
Le 05/12/2016 à 16:38, Jacques Le Roux a écrit :
Thanks Jinghai, indeed Argon does not seems to be implemented in
available JDKs, maybe later...
Jacques
Le 05/12/2016 à 15:48, Shi Jinghai a écrit :
Hi Jacques,
Personally I'd prefer PBKDF2 rather than Argon, because the encrypt
of PBKDF2 is done by JDK, I don't know whether Argon has been
supported by JDK.
Kind Regards,
Shi Jinghai
-----邮件原件-----
发件人: Jacques Le Roux [mailto:jacques.le.r...@les7arts.com]
发送时间: 2016年12月5日 22:24
收件人: dev@ofbiz.apache.org
抄送: gregory draperi
主题: Replace password encryption SHA-1 by SHA-512
Hi,
At https://issues.apache.org/jira/browse/OFBIZ-8537 Junyuan has
contributed a new PBDKF2_SHA* one way encryption for password
At http://svn.apache.org/viewvc?rev=1772589&view=rev Jinghai has
committed it, I made few remarks on this commit, one of this comment
was also discussed in the Jira by Pierre and Michael. It's about
using PBDKF2 OOTB.
After reading https://cryptosense.com/parameter-choice-for-pbkdf2/ I
think we should replace our current SHA1 default implementation by
SHA-512 and increase PBKDF2_ITERATIONS to 10 000
We should also provide new PBDKF2_SHA1 password data.
As suggested by the article above, another step would be to use
Argon https://password-hashing.net/
What do you think?
Jacques
--
Regards,
Hans Bakker
CEO, http://antwebsystems.com