[jira] Created: (OFBIZ-3006) entity encrypt columns not using encryption salt value?

entity encrypt columns not using encryption salt value?
-------------------------------------------------------

                 Key: OFBIZ-3006
                 URL: https://issues.apache.org/jira/browse/OFBIZ-3006
             Project: OFBiz
          Issue Type: Bug
    Affects Versions: SVN trunk
            Reporter: chris snow


It looks as though no salt data is used when saving encrypted entity data making the stored data susceptible to dictionary attacks.

If you look through the stored demo data, you can see all the demo accounts passwords are the same:

{code}
UserLogin:
admin     {SHA}47ca69ebb4bdc9ae0adec130880165d2cc05db1a
flexadmin {SHA}47ca69ebb4bdc9ae0adec130880165d2cc05db1a
...
{code}

As a comparison, if you create a two unix accounts, "ofbiz1" and "ofbiz2" and set both passwords to "ofbiz"

{code}
ofbiz1:$6$3.mYZg9u$0E...:14524:0:99999:7:::
ofbiz2:$6$MJhYeMqO$Jf...:14524:0:99999:7:::
{code}

You can see that on unix, even though the passwords are the same, the encrypted values are completely different.

For more information see:

[http://en.wikipedia.org/wiki/Salt_(cryptography)]

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-3006?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux updated OFBIZ-3006:
-----------------------------------

    Issue Type: Sub-task  (was: Bug)
        Parent: OFBIZ-1525

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.