You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by "Wickersheimer Jeremy (JIRA)" <ji...@apache.org> on 2007/07/17 10:06:05 UTC
[jira] Issue Comment Edited: (OFBIZ-1151) Passwords are not seeded
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12513177 ]
Wickersheimer Jeremy edited comment on OFBIZ-1151 at 7/17/07 1:05 AM:
----------------------------------------------------------------------
Yes,
The nabble link is the problem exactly. Someone proposed to salt the passwords which is what should be done.
The modification would be trivial really.
- When you store a password you generate a random salt
- Then you store in the DB two fields : the "salt" (hash of a randow string), and the "hashed(salt+password)"
When you check a password, you just need to readd the salt before hashing and comparing to the DB.
You can also concatenate the salt and hashed(salt+pass) in one field because both have predefined size.
was:
PS: the second link is the problem exactly. Someone proposed to salt the passwords which is what should be done.
The modification would be trivial really.
- When you store a password you generate a random salt
- Then you store in the DB two fields : the "salt" (hash of a randow string), and the "hashed(salt+password)"
When you check a password, you just need to readd the salt before hashing and comparing to the DB.
You can also concatenate the salt and hashed(salt+pass) in one field because both have predefined size.
> Passwords are not seeded
> ------------------------
>
> Key: OFBIZ-1151
> URL: https://issues.apache.org/jira/browse/OFBIZ-1151
> Project: OFBiz
> Issue Type: Improvement
> Components: party
> Affects Versions: SVN trunk, Release Branch 4.0
> Reporter: Wickersheimer Jeremy
> Priority: Minor
>
> Password are currently hashed but not seeded which may be a security issue.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.