You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by "Wickersheimer Jeremy (JIRA)" <ji...@apache.org> on 2007/07/17 08:41:04 UTC
[jira] Created: (OFBIZ-1151) Passwords are not seeded
Passwords are not seeded
------------------------
Key: OFBIZ-1151
URL: https://issues.apache.org/jira/browse/OFBIZ-1151
Project: OFBiz
Issue Type: Improvement
Components: party
Affects Versions: SVN trunk, Release Branch 4.0
Reporter: Wickersheimer Jeremy
Priority: Minor
Password are currently hashed but not seeded which may be a security issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-1151) Passwords are not seeded
Posted by "Jonathon Wong (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12542940 ]
Jonathon Wong commented on OFBIZ-1151:
--------------------------------------
BJ said:
> for creation of employees they like to use a password they will remember.
For the sake of easy migration, we could add a temporary field beside each password, say "isRehashed" (boolean). If "isRehased" is false, process incoming password with the old codes without salt, and then rehash it with salt, and then set "isRehashed" to true.
> Passwords are not seeded
> ------------------------
>
> Key: OFBIZ-1151
> URL: https://issues.apache.org/jira/browse/OFBIZ-1151
> Project: OFBiz
> Issue Type: Improvement
> Components: party
> Affects Versions: SVN trunk, Release Branch 4.0
> Reporter: Wickersheimer Jeremy
> Assignee: Jacques Le Roux
> Priority: Minor
>
> Password are currently hashed but not seeded which may be a security issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-1151) Passwords are not seeded
Posted by "Jacques Le Roux (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12552929 ]
Jacques Le Roux commented on OFBIZ-1151:
----------------------------------------
Marco,
Do you know how to create a new component in Jira ? I never tried
> Passwords are not seeded
> ------------------------
>
> Key: OFBIZ-1151
> URL: https://issues.apache.org/jira/browse/OFBIZ-1151
> Project: OFBiz
> Issue Type: Improvement
> Components: party
> Affects Versions: SVN trunk, Release Branch 4.0
> Reporter: Wickersheimer Jeremy
> Assignee: Jacques Le Roux
> Priority: Minor
>
> Password are currently hashed but not seeded which may be a security issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-1151) Passwords are not seeded
Posted by "Wickersheimer Jeremy (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12536091 ]
Wickersheimer Jeremy commented on OFBIZ-1151:
---------------------------------------------
Replacing the algorithm won't change anything to the problem, and adding a salt is not difficult at all. If i have some time i will try to work on it.
> Passwords are not seeded
> ------------------------
>
> Key: OFBIZ-1151
> URL: https://issues.apache.org/jira/browse/OFBIZ-1151
> Project: OFBiz
> Issue Type: Improvement
> Components: party
> Affects Versions: SVN trunk, Release Branch 4.0
> Reporter: Wickersheimer Jeremy
> Assignee: Jacques Le Roux
> Priority: Minor
>
> Password are currently hashed but not seeded which may be a security issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-1151) Passwords are not seeded
Posted by "Wickersheimer Jeremy (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12513172 ]
Wickersheimer Jeremy commented on OFBIZ-1151:
---------------------------------------------
Seeding passwords is not related to the strength of the hashing algorithm, having the seed + hash is equally easy as having the hash because it is in the same place.
It is critical to protect those hashes from dictionary attacks by attackers who obtained those hashes. ... like anyone using the webtool could do.
Passwords should be protected as much as possible because it is very likely that a user password would be the same for other applications (Windows auth, emails, ...)
> Passwords are not seeded
> ------------------------
>
> Key: OFBIZ-1151
> URL: https://issues.apache.org/jira/browse/OFBIZ-1151
> Project: OFBiz
> Issue Type: Improvement
> Components: party
> Affects Versions: SVN trunk, Release Branch 4.0
> Reporter: Wickersheimer Jeremy
> Priority: Minor
>
> Password are currently hashed but not seeded which may be a security issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-1151) Passwords are not seeded
Posted by "Marco Risaliti (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12552656 ]
Marco Risaliti commented on OFBIZ-1151:
---------------------------------------
Sorry Jacques, I have not seen that it was a grouped bugs.
In this case I have used to set in the grouped bugs the sum of the components used by detailed issues.
I didn't like unknow components.
Otherwise we can add a new fictitious component - GROUPED ISSUES - and assign this component to this type of issue.
Thanks
Marco
> Passwords are not seeded
> ------------------------
>
> Key: OFBIZ-1151
> URL: https://issues.apache.org/jira/browse/OFBIZ-1151
> Project: OFBiz
> Issue Type: Improvement
> Components: party
> Affects Versions: SVN trunk, Release Branch 4.0
> Reporter: Wickersheimer Jeremy
> Assignee: Jacques Le Roux
> Priority: Minor
>
> Password are currently hashed but not seeded which may be a security issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-1151) Passwords are not seeded
Posted by "Jacques Le Roux (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12535968 ]
Jacques Le Roux commented on OFBIZ-1151:
----------------------------------------
Just a link, not cheked : http://islab.oregonstate.edu/koc/ece575/03Project/Mundle/
> Passwords are not seeded
> ------------------------
>
> Key: OFBIZ-1151
> URL: https://issues.apache.org/jira/browse/OFBIZ-1151
> Project: OFBiz
> Issue Type: Improvement
> Components: party
> Affects Versions: SVN trunk, Release Branch 4.0
> Reporter: Wickersheimer Jeremy
> Assignee: Jacques Le Roux
> Priority: Minor
>
> Password are currently hashed but not seeded which may be a security issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
Re: [jira] Commented: (OFBIZ-1151) Passwords are not seeded
Posted by BJ Freeman <bj...@free-man.net>.
couple of things to remember
1) for creation of employees they like to use a password they will remember.
2) when sending a new customer notification it should come back to a
link that lets them change the password.
3) products lets you define a default password. so add an option to have
it auto created.
there are a couple of places the hard coded passwords are.
Michael Jensen (JIRA) sent the following on 11/15/2007 10:52 AM:
> [ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12542844 ]
>
> Michael Jensen commented on OFBIZ-1151:
> ---------------------------------------
>
> Is anyone working on this already?
> I'd like to help out with it. I'm kind of a hack w/ofbiz, so I'd need a little direction/mentoring on how to create an acceptable patch for the project.
>
>
>> Passwords are not seeded
>> ------------------------
>>
>> Key: OFBIZ-1151
>> URL: https://issues.apache.org/jira/browse/OFBIZ-1151
>> Project: OFBiz
>> Issue Type: Improvement
>> Components: party
>> Affects Versions: SVN trunk, Release Branch 4.0
>> Reporter: Wickersheimer Jeremy
>> Assignee: Jacques Le Roux
>> Priority: Minor
>>
>> Password are currently hashed but not seeded which may be a security issue.
>
[jira] Commented: (OFBIZ-1151) Passwords are not seeded
Posted by "Michael Jensen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12542844 ]
Michael Jensen commented on OFBIZ-1151:
---------------------------------------
Is anyone working on this already?
I'd like to help out with it. I'm kind of a hack w/ofbiz, so I'd need a little direction/mentoring on how to create an acceptable patch for the project.
> Passwords are not seeded
> ------------------------
>
> Key: OFBIZ-1151
> URL: https://issues.apache.org/jira/browse/OFBIZ-1151
> Project: OFBiz
> Issue Type: Improvement
> Components: party
> Affects Versions: SVN trunk, Release Branch 4.0
> Reporter: Wickersheimer Jeremy
> Assignee: Jacques Le Roux
> Priority: Minor
>
> Password are currently hashed but not seeded which may be a security issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-1151) Passwords are not seeded
Posted by "BJ Freeman (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12542871 ]
BJ Freeman commented on OFBIZ-1151:
-----------------------------------
couple of things to remember
1) for creation of employees they like to use a password they will remember.
2) when sending a new customer notification it should come back to a
link that lets them change the password.
3) products lets you define a default password. so add an option to have
it auto created.
there are a couple of places the hard coded passwords are.
> Passwords are not seeded
> ------------------------
>
> Key: OFBIZ-1151
> URL: https://issues.apache.org/jira/browse/OFBIZ-1151
> Project: OFBiz
> Issue Type: Improvement
> Components: party
> Affects Versions: SVN trunk, Release Branch 4.0
> Reporter: Wickersheimer Jeremy
> Assignee: Jacques Le Roux
> Priority: Minor
>
> Password are currently hashed but not seeded which may be a security issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-1151) Passwords are not seeded
Posted by "Jacques Le Roux (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12707707#action_12707707 ]
Jacques Le Roux commented on OFBIZ-1151:
----------------------------------------
Maybe we should just provide a salting mechanism with clear explanations. I mean OFBiz paswords salted OOTB but only as a demonstration and clear explanations about not only changing passwords (as it's already done for admin password) but also salt string. Maybe Michael Jensen's idea of colon separating password and salt could be used ? I also remember the idea of having a salt string only related to the password at hand (to avoid easy hack if the salt is discovered by a way or another...), this is also called random salt (the alternative being static salt). But obviously this introduces a new breach has you have to store also the random salt. Except if you use a part of the record only *you*know (for instance a part of the creation date field, etc.)
My 2cts
Jacques
> Passwords are not seeded
> ------------------------
>
> Key: OFBIZ-1151
> URL: https://issues.apache.org/jira/browse/OFBIZ-1151
> Project: OFBiz
> Issue Type: Sub-task
> Components: party
> Affects Versions: Release Branch 4.0, SVN trunk
> Reporter: Wickersheimer Jeremy
> Assignee: Jacques Le Roux
> Priority: Minor
>
> Password are currently hashed but not seeded which may be a security issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-1151) Passwords are not seeded
Posted by "Wickersheimer Jeremy (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12513177 ]
Wickersheimer Jeremy commented on OFBIZ-1151:
---------------------------------------------
PS: the second link is the problem exactly. Someone proposed to salt the passwords which is what should be done.
The modification would be trivial really.
- When you store a password you generate a random salt
- Then you store in the DB two fields : the "salt" (hash of a randow string), and the "hashed(salt+password)"
When you check a password, you just need to readd the salt before hashing and comparing to the DB.
You can also concatenate the salt and hashed(salt+pass) in one field because both have predefined size.
> Passwords are not seeded
> ------------------------
>
> Key: OFBIZ-1151
> URL: https://issues.apache.org/jira/browse/OFBIZ-1151
> Project: OFBiz
> Issue Type: Improvement
> Components: party
> Affects Versions: SVN trunk, Release Branch 4.0
> Reporter: Wickersheimer Jeremy
> Priority: Minor
>
> Password are currently hashed but not seeded which may be a security issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-1151) Passwords are not seeded
Posted by "Jonathon Wong (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12536099 ]
Jonathon Wong commented on OFBIZ-1151:
--------------------------------------
> Replacing the algorithm won't change anything to the problem, and adding a
> salt is not difficult at all. If i have some time i will try to work on it.
I agree. SHA-256 is just as concrete a 1-way hash algo as MD5. Hashing a certain string will still always predictably produce a certain hash result, so hackers can easily work backwards to get the password.
The common practice (for a very long time now) is to salt it. In fact, financial institutions even store the salt somewhere else, somewhere really safe.
> It is critical to protect those hashes from dictionary attacks by attackers
> who obtained those hashes. ... like anyone using the webtool could do.
But wouldn't webtool also yield the salt as well?
But still, I agree that salting the password would make dictionary attacks exponentially arduous. For a certain password, it is stored differently (thanks to random salt) in each instance where it is stored (say 2 or more users happen to like the same password). Therefore, for each hash stored in the database, an attack would have to do additional computation (dictionary attack has to be completely recoded, actually).
For common needs, salting will adequately make dictionary attacks expensive (or impossible).
It is incredibly easy to do dictionary attacks on un-salted password hashes.
> Passwords are not seeded
> ------------------------
>
> Key: OFBIZ-1151
> URL: https://issues.apache.org/jira/browse/OFBIZ-1151
> Project: OFBiz
> Issue Type: Improvement
> Components: party
> Affects Versions: SVN trunk, Release Branch 4.0
> Reporter: Wickersheimer Jeremy
> Assignee: Jacques Le Roux
> Priority: Minor
>
> Password are currently hashed but not seeded which may be a security issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (OFBIZ-1151) Passwords are not seeded
Posted by "Jacques Le Roux (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacques Le Roux reassigned OFBIZ-1151:
--------------------------------------
Assignee: Jacques Le Roux
> Passwords are not seeded
> ------------------------
>
> Key: OFBIZ-1151
> URL: https://issues.apache.org/jira/browse/OFBIZ-1151
> Project: OFBiz
> Issue Type: Improvement
> Components: party
> Affects Versions: SVN trunk, Release Branch 4.0
> Reporter: Wickersheimer Jeremy
> Assignee: Jacques Le Roux
> Priority: Minor
>
> Password are currently hashed but not seeded which may be a security issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (OFBIZ-1151) Passwords are not seeded
Posted by "Jacques Le Roux (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacques Le Roux updated OFBIZ-1151:
-----------------------------------
Issue Type: Sub-task (was: Improvement)
Parent: OFBIZ-1525
> Passwords are not seeded
> ------------------------
>
> Key: OFBIZ-1151
> URL: https://issues.apache.org/jira/browse/OFBIZ-1151
> Project: OFBiz
> Issue Type: Sub-task
> Components: party
> Affects Versions: Release Branch 4.0, SVN trunk
> Reporter: Wickersheimer Jeremy
> Assignee: Jacques Le Roux
> Priority: Minor
>
> Password are currently hashed but not seeded which may be a security issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-1151) Passwords are not seeded
Posted by "Guido Amarilla (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12513173 ]
Guido Amarilla commented on OFBIZ-1151:
---------------------------------------
Jeremy
Are you talking about adding a salt to the password?
Ref: http://en.wikipedia.org/wiki/Salt_(cryptography)
In this case it would increase security, but the seed data passwords would become invalid.
It would be even safer for each implementation if you keep this salt secret.
> Passwords are not seeded
> ------------------------
>
> Key: OFBIZ-1151
> URL: https://issues.apache.org/jira/browse/OFBIZ-1151
> Project: OFBiz
> Issue Type: Improvement
> Components: party
> Affects Versions: SVN trunk, Release Branch 4.0
> Reporter: Wickersheimer Jeremy
> Priority: Minor
>
> Password are currently hashed but not seeded which may be a security issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-1151) Passwords are not seeded
Posted by "Jacques Le Roux (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12553397 ]
Jacques Le Roux commented on OFBIZ-1151:
----------------------------------------
Marco,
Done, was a good idea, at least I hope everybody will think so.
> Passwords are not seeded
> ------------------------
>
> Key: OFBIZ-1151
> URL: https://issues.apache.org/jira/browse/OFBIZ-1151
> Project: OFBiz
> Issue Type: Improvement
> Components: party
> Affects Versions: SVN trunk, Release Branch 4.0
> Reporter: Wickersheimer Jeremy
> Assignee: Jacques Le Roux
> Priority: Minor
>
> Password are currently hashed but not seeded which may be a security issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-1151) Passwords are not seeded
Posted by "Marco Risaliti (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12553256 ]
Marco Risaliti commented on OFBIZ-1151:
---------------------------------------
Hi Jacques,
I have not the grant to the administration of JIRA and so I cannot help you on how to create a new component.
Thanks
Marco
> Passwords are not seeded
> ------------------------
>
> Key: OFBIZ-1151
> URL: https://issues.apache.org/jira/browse/OFBIZ-1151
> Project: OFBiz
> Issue Type: Improvement
> Components: party
> Affects Versions: SVN trunk, Release Branch 4.0
> Reporter: Wickersheimer Jeremy
> Assignee: Jacques Le Roux
> Priority: Minor
>
> Password are currently hashed but not seeded which may be a security issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-1151) Passwords are not seeded
Posted by "Jacques Le Roux (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12549776 ]
Jacques Le Roux commented on OFBIZ-1151:
----------------------------------------
I will create soon a general task for security issues. All current pending security issues will be children of this new task.
> Passwords are not seeded
> ------------------------
>
> Key: OFBIZ-1151
> URL: https://issues.apache.org/jira/browse/OFBIZ-1151
> Project: OFBiz
> Issue Type: Improvement
> Components: party
> Affects Versions: SVN trunk, Release Branch 4.0
> Reporter: Wickersheimer Jeremy
> Assignee: Jacques Le Roux
> Priority: Minor
>
> Password are currently hashed but not seeded which may be a security issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-1151) Passwords are not seeded
Posted by "Martin Kreidenweis (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12895313#action_12895313 ]
Martin Kreidenweis commented on OFBIZ-1151:
-------------------------------------------
Adam,
great news about the patch. Where can I get it? :)
Thanks
Martin
> Passwords are not seeded
> ------------------------
>
> Key: OFBIZ-1151
> URL: https://issues.apache.org/jira/browse/OFBIZ-1151
> Project: OFBiz
> Issue Type: Sub-task
> Components: party
> Affects Versions: Release Branch 4.0, SVN trunk
> Reporter: Wickersheimer Jeremy
> Assignee: Jacques Le Roux
> Priority: Minor
>
> Password are currently hashed but not seeded which may be a security issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-1151) Passwords are not seeded
Posted by "Jacques Le Roux (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12513168 ]
Jacques Le Roux commented on OFBIZ-1151:
----------------------------------------
Jeremy,
Did you notice that they use a one way only encryption (ie no decryption is normaly possible, of couse even the better encryption algorithms known so far have been cracked)?
If I remember well SHA-1 is used : http://en.wikipedia.org/wiki/SHA-1
This may also interest you : http://www.nabble.com/How-do-I-decrypt-passwords--tf3081869.html#a8562707
> Passwords are not seeded
> ------------------------
>
> Key: OFBIZ-1151
> URL: https://issues.apache.org/jira/browse/OFBIZ-1151
> Project: OFBiz
> Issue Type: Improvement
> Components: party
> Affects Versions: SVN trunk, Release Branch 4.0
> Reporter: Wickersheimer Jeremy
> Priority: Minor
>
> Password are currently hashed but not seeded which may be a security issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-1151) Passwords are not seeded
Posted by "Jonathon Wong (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12536103 ]
Jonathon Wong commented on OFBIZ-1151:
--------------------------------------
Guido,
> In this case it would increase security, but the seed data passwords would
> become invalid.
The password hashes will certainly need to be recomputed if the new implementation adds a salt.
In fact, to make brute force attacks even more expensive, the salt can be changed often (say every time the password hash is accessed) and the password hash recomputed. If it might take 24 hours for a super-computer to compute the password from a password hash and its salt, the salt could be changed every 23 hours.
The ability to keep the salt secret in a strong and secure box will certainly be good. Not very cheap, though. Depends on how strong and how secure the salt box is.
> Passwords are not seeded
> ------------------------
>
> Key: OFBIZ-1151
> URL: https://issues.apache.org/jira/browse/OFBIZ-1151
> Project: OFBiz
> Issue Type: Improvement
> Components: party
> Affects Versions: SVN trunk, Release Branch 4.0
> Reporter: Wickersheimer Jeremy
> Assignee: Jacques Le Roux
> Priority: Minor
>
> Password are currently hashed but not seeded which may be a security issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-1151) Passwords are not seeded
Posted by "Jonathon Wong (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12542977 ]
Jonathon Wong commented on OFBIZ-1151:
--------------------------------------
Oh yes! That will do away with the need for a new entity field like "isRehashed". I would like the salt to be appended to the password hash after a ":", so we don't need to create a new entity field for the salt. The ':' character doesn't appear in a password hash.
> Passwords are not seeded
> ------------------------
>
> Key: OFBIZ-1151
> URL: https://issues.apache.org/jira/browse/OFBIZ-1151
> Project: OFBiz
> Issue Type: Improvement
> Components: party
> Affects Versions: SVN trunk, Release Branch 4.0
> Reporter: Wickersheimer Jeremy
> Assignee: Jacques Le Roux
> Priority: Minor
>
> Password are currently hashed but not seeded which may be a security issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-1151) Passwords are not seeded
Posted by "Marco Risaliti (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12553492 ]
Marco Risaliti commented on OFBIZ-1151:
---------------------------------------
Also I like this workaround to see how many INCORPORATING ISSUE are active.
Before switch the others INCORPORATING ISSUE to this new fictitious components I will wait some other feedback from others.
Thanks
Marco
> Passwords are not seeded
> ------------------------
>
> Key: OFBIZ-1151
> URL: https://issues.apache.org/jira/browse/OFBIZ-1151
> Project: OFBiz
> Issue Type: Improvement
> Components: party
> Affects Versions: SVN trunk, Release Branch 4.0
> Reporter: Wickersheimer Jeremy
> Assignee: Jacques Le Roux
> Priority: Minor
>
> Password are currently hashed but not seeded which may be a security issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Issue Comment Edited: (OFBIZ-1151) Passwords are not seeded
Posted by "Wickersheimer Jeremy (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12513177 ]
Wickersheimer Jeremy edited comment on OFBIZ-1151 at 7/17/07 1:05 AM:
----------------------------------------------------------------------
Yes,
The nabble link is the problem exactly. Someone proposed to salt the passwords which is what should be done.
The modification would be trivial really.
- When you store a password you generate a random salt
- Then you store in the DB two fields : the "salt" (hash of a randow string), and the "hashed(salt+password)"
When you check a password, you just need to readd the salt before hashing and comparing to the DB.
You can also concatenate the salt and hashed(salt+pass) in one field because both have predefined size.
was:
PS: the second link is the problem exactly. Someone proposed to salt the passwords which is what should be done.
The modification would be trivial really.
- When you store a password you generate a random salt
- Then you store in the DB two fields : the "salt" (hash of a randow string), and the "hashed(salt+password)"
When you check a password, you just need to readd the salt before hashing and comparing to the DB.
You can also concatenate the salt and hashed(salt+pass) in one field because both have predefined size.
> Passwords are not seeded
> ------------------------
>
> Key: OFBIZ-1151
> URL: https://issues.apache.org/jira/browse/OFBIZ-1151
> Project: OFBiz
> Issue Type: Improvement
> Components: party
> Affects Versions: SVN trunk, Release Branch 4.0
> Reporter: Wickersheimer Jeremy
> Priority: Minor
>
> Password are currently hashed but not seeded which may be a security issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-1151) Passwords are not seeded
Posted by "Jacques Le Roux (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12535963 ]
Jacques Le Roux commented on OFBIZ-1151:
----------------------------------------
I agree that salting could be a solution for dictionnary attacks. But why not replace the crypting algorithm by a newer and safer one (RIPEMD-160, SHA-256, Whirlpool, etc. ) my preference being SHA-256 ? It think it's easier, isn'it ?
> Passwords are not seeded
> ------------------------
>
> Key: OFBIZ-1151
> URL: https://issues.apache.org/jira/browse/OFBIZ-1151
> Project: OFBiz
> Issue Type: Improvement
> Components: party
> Affects Versions: SVN trunk, Release Branch 4.0
> Reporter: Wickersheimer Jeremy
> Assignee: Jacques Le Roux
> Priority: Minor
>
> Password are currently hashed but not seeded which may be a security issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-1151) Passwords are not seeded
Posted by "Adam Heath (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12858370#action_12858370 ]
Adam Heath commented on OFBIZ-1151:
-----------------------------------
I actually have a patch for this now. Existing database entries will continue to work, while changing a password will end up being salted. The salt is randomly generated each and every time a password is hashed. There is no globally shared salt at any point. The length of the salt is from 1 to 16 chars, and the content is also random.
> Passwords are not seeded
> ------------------------
>
> Key: OFBIZ-1151
> URL: https://issues.apache.org/jira/browse/OFBIZ-1151
> Project: OFBiz
> Issue Type: Sub-task
> Components: party
> Affects Versions: Release Branch 4.0, SVN trunk
> Reporter: Wickersheimer Jeremy
> Assignee: Jacques Le Roux
> Priority: Minor
>
> Password are currently hashed but not seeded which may be a security issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-1151) Passwords are not seeded
Posted by "Michael Jensen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12542952 ]
Michael Jensen commented on OFBIZ-1151:
---------------------------------------
One option is to use the same field for the hash, but adding a colon and the salt to the end of the string. This is the way it would be easy to distinguished between salted and non-salted passwords and validate accordingly. I've seen a few projects that store password hashes this way.
The Linux /etc/shadow file also stores the hash and salt in one field (but that doesn't mean it is best for this situation.)
An alternative could be to just have the salt stored in another field in the same table and if it isn't empty, the password hash is salted. (You have to store the salt somewhere anyway.)
> Passwords are not seeded
> ------------------------
>
> Key: OFBIZ-1151
> URL: https://issues.apache.org/jira/browse/OFBIZ-1151
> Project: OFBiz
> Issue Type: Improvement
> Components: party
> Affects Versions: SVN trunk, Release Branch 4.0
> Reporter: Wickersheimer Jeremy
> Assignee: Jacques Le Roux
> Priority: Minor
>
> Password are currently hashed but not seeded which may be a security issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-1151) Passwords are not seeded
Posted by "Wickersheimer Jeremy (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12542935 ]
Wickersheimer Jeremy commented on OFBIZ-1151:
---------------------------------------------
Hi,
I am not working on it but i can help you if you need information.
--
WICKERSHEIMER
Jérémy
> Passwords are not seeded
> ------------------------
>
> Key: OFBIZ-1151
> URL: https://issues.apache.org/jira/browse/OFBIZ-1151
> Project: OFBiz
> Issue Type: Improvement
> Components: party
> Affects Versions: SVN trunk, Release Branch 4.0
> Reporter: Wickersheimer Jeremy
> Assignee: Jacques Le Roux
> Priority: Minor
>
> Password are currently hashed but not seeded which may be a security issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.