[
https://issues.apache.org/jira/browse/OFBIZ-9150?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17319348#comment-17319348 ]
Jacques Le Roux commented on OFBIZ-9150:
----------------------------------------
At
https://markmail.org/message/vtwktynlecx7lczl I suggested we could use Argon. It's still not available in JDK but there are argon2-jvm available in Maven:
https://mkyong.com/java/java-password-hashing-with-argon2/> Create a tool to hashes all our OOTB passwords using PBKDF2_SHA512
> ------------------------------------------------------------------
>
> Key: OFBIZ-9150
> URL:
https://issues.apache.org/jira/browse/OFBIZ-9150> Project: OFBiz
> Issue Type: Sub-task
> Components: framework
> Reporter: Jacques Le Roux
> Priority: Minor
>
> Currently we use SHA1 for our OOTB passwords hashes and they are not salted. If you create new passwords they will still use SHA1 but they will be salted, which is good.
> But we should better provide SHA-512 OOTB hashes instead of SHA-1. And use SHA-512 as default encrypting method (even for fields), with at least 10 000 iterations, to lead our users to the best solution.
> We should also provide a simple and easy documentation about that. So far we have this discussion
http://markmail.org/message/yqybsqzigrqbyxgf> I suggest to improve/enhance
https://cwiki.apache.org/confluence/display/OFBIZ/How+to+secure+your+deployment--
This message was sent by Atlassian Jira
(v8.3.4#803005)
Locked
