Even though OFBiz is often protected through SSL it still uses a RDBMS where the passwords are stored. If that is not setup properly, persons with ill will can get access to the passwords of OFBiz users. And then it is relatively easy to do the nasty.
Even though we can regard it an adopters prerogative to allow weak password encryption, it will reflect badly on this project when we don't do our utmost to ensure that the evil doers are obstructed to the max, as it will fuel the critics. Best regards Pierre Smits ORRTIZ.COM <http://www.orrtiz.com> OFBiz based solutions & services OFBiz Extensions Marketplace http://oem.ofbizci.net/oci-2/ On Mon, Dec 19, 2016 at 8:10 AM, Jacques Le Roux < jacques.le.r...@les7arts.com> wrote: > I totally agree with Pierre, even if the risk is low, especially in > backend which is usually Intranet though less and less with now > smartphones, we should not wait that a hacker find a way. > > Jacques > > > Le 09/12/2016 à 10:20, Pierre Smits a écrit : > >> Assume the worst... >> >> Best regards, >> >> Pierre Smits >> >> ORRTIZ.COM<http://www.orrtiz.com> >> >> OFBiz based solutions & services >> >> OFBiz Extensions Marketplace >> http://oem.ofbizci.net/oci-2/ >> >> On Fri, Dec 9, 2016 at 10:17 AM, Taher Alkhateeb < >> slidingfilame...@gmail.com >> >>> wrote: >>> I think the best solution in here is to actually parameterize the >>> encryption algorithm with a default backwards compatible choice (SHA1). >>> >>> However, I'm not sure that we do need that. SHA1 is okay I think, and it >>> has the most support out there in terms of libraries. Do we have any >>> history of people cracking passwords in OFBiz _because_ they are SHA1? I >>> mean for that to happen, I think not only does the password have to be >>> weak, but the attacker should have access to the database and be able to >>> retrieve the password hashes, which seems less likely to me. >>> >>> On Fri, Dec 9, 2016 at 12:06 PM, Michael Brohl<michael.br...@ecomify.de> >>> wrote: >>> >>> I agree, Hans. >>>> >>>> A new implementation should be optional and not simply replace the old. >>>> >>>> Regards, >>>> >>>> Michael >>>> >>>> Am 09.12.16 um 03:12 schrieb Hans Bakker: >>>> >>>> What is the impact? >>>> >>>>> if people have to re-enter the password then it is not acceptable. >>>>> >>>>> it should be backwards compatible. >>>>> >>>>> Regards, >>>>> Hans >>>>> >>>>> On 08/12/16 16:33, Michael Brohl wrote: >>>>> >>>>> Jacques, >>>>>> >>>>>> I have no time to think about it more so I would prefer to create a >>>>>> Jira, provide a patch and wait a few days for people to review. >>>>>> >>>>>> I see no need to hurry with this issue. >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Michael >>>>>> >>>>>> >>>>>> Am 08.12.16 um 10:01 schrieb Jacques Le Roux: >>>>>> >>>>>> OK, nobody expressed a concern so I'll apply a lazy consensus and >>>>>>> implement "SHA-512 and increase PBKDF2_ITERATIONS to 10 000" >>>>>>> >>>>>>> Else please express your concern now before I create a Jira for that >>>>>>> >>>>>>> Thanks >>>>>>> >>>>>>> Jacques >>>>>>> >>>>>>> >>>>>>> Le 05/12/2016 à 16:38, Jacques Le Roux a écrit : >>>>>>> >>>>>>> Thanks Jinghai, indeed Argon does not seems to be implemented in >>>>>>>> available JDKs, maybe later... >>>>>>>> >>>>>>>> Jacques >>>>>>>> >>>>>>>> >>>>>>>> Le 05/12/2016 à 15:48, Shi Jinghai a écrit : >>>>>>>> >>>>>>>> Hi Jacques, >>>>>>>>> >>>>>>>>> Personally I'd prefer PBKDF2 rather than Argon, because the encrypt >>>>>>>>> of PBKDF2 is done by JDK, I don't know whether Argon has been >>>>>>>>> supported by JDK. >>>>>>>>> >>>>>>>>> Kind Regards, >>>>>>>>> >>>>>>>>> Shi Jinghai >>>>>>>>> >>>>>>>>> -----邮件原件----- >>>>>>>>> 发件人: Jacques Le Roux [mailto:jacques.le.r...@les7arts.com] >>>>>>>>> 发送时间: 2016年12月5日 22:24 >>>>>>>>> 收件人:dev@ofbiz.apache.org >>>>>>>>> 抄送: gregory draperi >>>>>>>>> 主题: Replace password encryption SHA-1 by SHA-512 >>>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> Athttps://issues.apache.org/jira/browse/OFBIZ-8537 Junyuan has >>>>>>>>> contributed a new PBDKF2_SHA* one way encryption for password >>>>>>>>> >>>>>>>>> Athttp://svn.apache.org/viewvc?rev=1772589&view=rev Jinghai has >>>>>>>>> committed it, I made few remarks on this commit, one of this >>>>>>>>> comment >>>>>>>>> was also discussed in the Jira by Pierre and Michael. It's about >>>>>>>>> using PBDKF2 OOTB. >>>>>>>>> >>>>>>>>> After readinghttps://cryptosense.com/parameter-choice-for-pbkdf2/ >>>>>>>>> >>>>>>>> I >>> >>>> think we should replace our current SHA1 default implementation by >>>>>>>>> SHA-512 and increase PBKDF2_ITERATIONS to 10 000 >>>>>>>>> >>>>>>>>> We should also provide new PBDKF2_SHA1 password data. >>>>>>>>> >>>>>>>>> As suggested by the article above, another step would be to use >>>>>>>>> Argonhttps://password-hashing.net/ >>>>>>>>> >>>>>>>>> What do you think? >>>>>>>>> >>>>>>>>> Jacques >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >
