[ https://issues.apache.org/jira/browse/OFBIZ-3006?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Adam Heath closed OFBIZ-3006. ----------------------------- Resolution: Fixed Fix Version/s: SVN trunk > entity encrypt columns not using encryption salt value? > ------------------------------------------------------- > > Key: OFBIZ-3006 > URL: https://issues.apache.org/jira/browse/OFBIZ-3006 > Project: OFBiz > Issue Type: Sub-task > Components: framework > Affects Versions: SVN trunk > Reporter: chris snow > Assignee: Adam Heath > Fix For: SVN trunk > > > It looks as though no salt data is used when saving encrypted entity data > making the stored data susceptible to dictionary attacks. > If you look through the stored demo data, you can see all the demo accounts > passwords are the same: > {code} > UserLogin: > admin {SHA}47ca69ebb4bdc9ae0adec130880165d2cc05db1a > flexadmin {SHA}47ca69ebb4bdc9ae0adec130880165d2cc05db1a > ... > {code} > As a comparison, if you create a two unix accounts, "ofbiz1" and "ofbiz2" and > set both passwords to "ofbiz" > {code} > ofbiz1:$6$3.mYZg9u$0E...:14524:0:99999:7::: > ofbiz2:$6$MJhYeMqO$Jf...:14524:0:99999:7::: > {code} > You can see that on unix, even though the passwords are the same, the > encrypted values are completely different. > For more information see: > [http://en.wikipedia.org/wiki/Salt_(cryptography)] -- This message was sent by Atlassian JIRA (v6.2#6252)