Assume the worst... Best regards,
Pierre Smits ORRTIZ.COM <http://www.orrtiz.com> OFBiz based solutions & services OFBiz Extensions Marketplace http://oem.ofbizci.net/oci-2/ On Fri, Dec 9, 2016 at 10:17 AM, Taher Alkhateeb <slidingfilame...@gmail.com > wrote: > I think the best solution in here is to actually parameterize the > encryption algorithm with a default backwards compatible choice (SHA1). > > However, I'm not sure that we do need that. SHA1 is okay I think, and it > has the most support out there in terms of libraries. Do we have any > history of people cracking passwords in OFBiz _because_ they are SHA1? I > mean for that to happen, I think not only does the password have to be > weak, but the attacker should have access to the database and be able to > retrieve the password hashes, which seems less likely to me. > > On Fri, Dec 9, 2016 at 12:06 PM, Michael Brohl <michael.br...@ecomify.de> > wrote: > > > I agree, Hans. > > > > A new implementation should be optional and not simply replace the old. > > > > Regards, > > > > Michael > > > > Am 09.12.16 um 03:12 schrieb Hans Bakker: > > > > What is the impact? > >> > >> if people have to re-enter the password then it is not acceptable. > >> > >> it should be backwards compatible. > >> > >> Regards, > >> Hans > >> > >> On 08/12/16 16:33, Michael Brohl wrote: > >> > >>> Jacques, > >>> > >>> I have no time to think about it more so I would prefer to create a > >>> Jira, provide a patch and wait a few days for people to review. > >>> > >>> I see no need to hurry with this issue. > >>> > >>> Thanks, > >>> > >>> Michael > >>> > >>> > >>> Am 08.12.16 um 10:01 schrieb Jacques Le Roux: > >>> > >>>> OK, nobody expressed a concern so I'll apply a lazy consensus and > >>>> implement "SHA-512 and increase PBKDF2_ITERATIONS to 10 000" > >>>> > >>>> Else please express your concern now before I create a Jira for that > >>>> > >>>> Thanks > >>>> > >>>> Jacques > >>>> > >>>> > >>>> Le 05/12/2016 à 16:38, Jacques Le Roux a écrit : > >>>> > >>>>> Thanks Jinghai, indeed Argon does not seems to be implemented in > >>>>> available JDKs, maybe later... > >>>>> > >>>>> Jacques > >>>>> > >>>>> > >>>>> Le 05/12/2016 à 15:48, Shi Jinghai a écrit : > >>>>> > >>>>>> Hi Jacques, > >>>>>> > >>>>>> Personally I'd prefer PBKDF2 rather than Argon, because the encrypt > >>>>>> of PBKDF2 is done by JDK, I don't know whether Argon has been > >>>>>> supported by JDK. > >>>>>> > >>>>>> Kind Regards, > >>>>>> > >>>>>> Shi Jinghai > >>>>>> > >>>>>> -----邮件原件----- > >>>>>> 发件人: Jacques Le Roux [mailto:jacques.le.r...@les7arts.com] > >>>>>> 发送时间: 2016年12月5日 22:24 > >>>>>> 收件人: dev@ofbiz.apache.org > >>>>>> 抄送: gregory draperi > >>>>>> 主题: Replace password encryption SHA-1 by SHA-512 > >>>>>> > >>>>>> Hi, > >>>>>> > >>>>>> At https://issues.apache.org/jira/browse/OFBIZ-8537 Junyuan has > >>>>>> contributed a new PBDKF2_SHA* one way encryption for password > >>>>>> > >>>>>> At http://svn.apache.org/viewvc?rev=1772589&view=rev Jinghai has > >>>>>> committed it, I made few remarks on this commit, one of this comment > >>>>>> was also discussed in the Jira by Pierre and Michael. It's about > >>>>>> using PBDKF2 OOTB. > >>>>>> > >>>>>> After reading https://cryptosense.com/parameter-choice-for-pbkdf2/ > I > >>>>>> think we should replace our current SHA1 default implementation by > >>>>>> SHA-512 and increase PBKDF2_ITERATIONS to 10 000 > >>>>>> > >>>>>> We should also provide new PBDKF2_SHA1 password data. > >>>>>> > >>>>>> As suggested by the article above, another step would be to use > >>>>>> Argon https://password-hashing.net/ > >>>>>> > >>>>>> What do you think? > >>>>>> > >>>>>> Jacques > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>> > >>>>> > >>>> > >>> > >>> > >> > > > > >