In reference to earlier threads and discussions, I propose the following: 1- Make the encryption algorithm a parameter, not hard-coded into the system. 2- Implement a new stronger encryption algorithm. 3- Set the new algorithm as default. 4- Update our documentation to point existing users to upgrade passwords OR change the encryption algorithm in settings back to old default of SHA1
WDYT? On Sat, Feb 25, 2017 at 12:31 AM, Michael Brohl <michael.br...@ecomify.de> wrote: > Another good reference: https://shattered.it > > Regards, > > Michael > > Am 24.02.17 um 22:07 schrieb Michael Brohl: > > Hi everyone, >> >> Google announced the first SHA1 collision [1]. See [2] for in-depth >> explanations. >> It's recommended to migrate to safer cryptographic hashes such as SHA-2 >> or SHA-3 as soon as possible. >> See [3] for an overview of SHA. SHA-3 was announced as the official new >> standard [4]. >> >> Let's discuss how we want to deal with this in OFBiz, any help is greatly >> appreciated. >> >> Best regards, >> Michael >> >> [1] https://security.googleblog.com/2017/02/announcing-first-sha >> 1-collision.html >> [2] https://shattered.io/static/shattered.pdf >> [3] https://en.wikipedia.org/wiki/Secure_Hash_Algorithm >> [4] https://www.federalregister.gov/documents/2015/08/05/2015-19 >> 181/announcing-approval-of-federal-information-processing- >> standard-fips-202-sha-3-standard >> >> > >
