I guess SHA-256 would be a straightforward replacement. Maybe we should instead move to a salted hash though?
Colm. On Fri, Jul 14, 2017 at 9:52 AM, Francesco Chicchiriccò <ilgro...@apache.org > wrote: > On 14/07/2017 10:48, Colm O hEigeartaigh wrote: > >> Should we change the default password algorithm from SHA1 for 2.1.0? It's >> probably time to migrate from SHA1 IMO. >> > > Makes sense. > The only problem I could see if when pulling hashed password values from > LDAP, where SHA1 is still quite common. Not a big deal, anyway. > > Which algorithm do you propose? > > Regards. > > -- > Francesco Chicchiriccò > > Tirasa - Open Source Excellence > http://www.tirasa.net/ > > Member at The Apache Software Foundation > Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail > http://home.apache.org/~ilgrosso/ > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
