I agree, Hans. A new implementation should be optional and not simply replace the old.
Regards, Michael Am 09.12.16 um 03:12 schrieb Hans Bakker:
What is the impact? if people have to re-enter the password then it is not acceptable. it should be backwards compatible. Regards, Hans On 08/12/16 16:33, Michael Brohl wrote:Jacques, I have no time to think about it more so I would prefer to create a Jira, provide a patch and wait a few days for people to review. I see no need to hurry with this issue. Thanks, Michael Am 08.12.16 um 10:01 schrieb Jacques Le Roux:OK, nobody expressed a concern so I'll apply a lazy consensus and implement "SHA-512 and increase PBKDF2_ITERATIONS to 10 000" Else please express your concern now before I create a Jira for that Thanks Jacques Le 05/12/2016 à 16:38, Jacques Le Roux a écrit :Thanks Jinghai, indeed Argon does not seems to be implemented in available JDKs, maybe later... Jacques Le 05/12/2016 à 15:48, Shi Jinghai a écrit :Hi Jacques, Personally I'd prefer PBKDF2 rather than Argon, because the encrypt of PBKDF2 is done by JDK, I don't know whether Argon has been supported by JDK. Kind Regards, Shi Jinghai -----邮件原件----- 发件人: Jacques Le Roux [mailto:jacques.le.r...@les7arts.com] 发送时间: 2016年12月5日 22:24 收件人: dev@ofbiz.apache.org 抄送: gregory draperi 主题: Replace password encryption SHA-1 by SHA-512 Hi, At https://issues.apache.org/jira/browse/OFBIZ-8537 Junyuan has contributed a new PBDKF2_SHA* one way encryption for password At http://svn.apache.org/viewvc?rev=1772589&view=rev Jinghai has committed it, I made few remarks on this commit, one of this comment was also discussed in the Jira by Pierre and Michael. It's about using PBDKF2 OOTB. After reading https://cryptosense.com/parameter-choice-for-pbkdf2/ I think we should replace our current SHA1 default implementation by SHA-512 and increase PBKDF2_ITERATIONS to 10 000 We should also provide new PBDKF2_SHA1 password data. As suggested by the article above, another step would be to use Argon https://password-hashing.net/ What do you think? Jacques
smime.p7s
Description: S/MIME Cryptographic Signature