[
https://issues.apache.org/jira/browse/OFBIZ-3006?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13257868#comment-13257868 ]
Adam Heath commented on OFBIZ-3006:
-----------------------------------
I'm working on this today. Should have it implemented by this evening. Won't be able to commit it right away, as I need to split the commit up into smaller chunks. The changes are in EntityCrypto.
> entity encrypt columns not using encryption salt value?
> -------------------------------------------------------
>
> Key: OFBIZ-3006
> URL:
https://issues.apache.org/jira/browse/OFBIZ-3006> Project: OFBiz
> Issue Type: Sub-task
> Affects Versions: SVN trunk
> Reporter: chris snow
> Assignee: Adam Heath
>
> It looks as though no salt data is used when saving encrypted entity data making the stored data susceptible to dictionary attacks.
> If you look through the stored demo data, you can see all the demo accounts passwords are the same:
> {code}
> UserLogin:
> admin {SHA}47ca69ebb4bdc9ae0adec130880165d2cc05db1a
> flexadmin {SHA}47ca69ebb4bdc9ae0adec130880165d2cc05db1a
> ...
> {code}
> As a comparison, if you create a two unix accounts, "ofbiz1" and "ofbiz2" and set both passwords to "ofbiz"
> {code}
> ofbiz1:$6$3.mYZg9u$0E...:14524:0:99999:7:::
> ofbiz2:$6$MJhYeMqO$Jf...:14524:0:99999:7:::
> {code}
> You can see that on unix, even though the passwords are the same, the encrypted values are completely different.
> For more information see:
> [
http://en.wikipedia.org/wiki/Salt_(cryptography)]
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspaFor more information on JIRA, see:
http://www.atlassian.com/software/jira
Locked
