Details

    • Type: Sub-task Sub-task
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: SVN trunk
    • Fix Version/s: None
    • Component/s: framework
    • Labels:
      None

      Description

      It looks as though no salt data is used when saving encrypted entity data making the stored data susceptible to dictionary attacks.

      If you look through the stored demo data, you can see all the demo accounts passwords are the same:

      UserLogin:
      admin     {SHA}47ca69ebb4bdc9ae0adec130880165d2cc05db1a
      flexadmin {SHA}47ca69ebb4bdc9ae0adec130880165d2cc05db1a
      ...
      

      As a comparison, if you create a two unix accounts, "ofbiz1" and "ofbiz2" and set both passwords to "ofbiz"

      ofbiz1:$6$3.mYZg9u$0E...:14524:0:99999:7:::
      ofbiz2:$6$MJhYeMqO$Jf...:14524:0:99999:7:::
      

      You can see that on unix, even though the passwords are the same, the encrypted values are completely different.

      For more information see:

      http://en.wikipedia.org/wiki/Salt_(cryptography)

        Issue Links

          Activity

          chris snow created issue -
          Jacques Le Roux made changes -
          Field Original Value New Value
          Link This issue is part of OFBIZ-1151 [ OFBIZ-1151 ]
          Jacques Le Roux made changes -
          Link This issue is part of OFBIZ-1151 [ OFBIZ-1151 ]
          Jacques Le Roux made changes -
          Parent OFBIZ-1525 [ 12384719 ]
          Issue Type Bug [ 1 ] Sub-task [ 7 ]
          Jacques Le Roux made changes -
          Link This issue blocks OFBIZ-1151 [ OFBIZ-1151 ]
          Gavin made changes -
          Workflow jira [ 12478819 ] OFbiz Workflow [ 12504183 ]
          Adam Heath made changes -
          Assignee Adam Heath [ doogie ]
          Hide
          Adam Heath added a comment -

          I'm working on this today. Should have it implemented by this evening. Won't be able to commit it right away, as I need to split the commit up into smaller chunks. The changes are in EntityCrypto.

          Show
          Adam Heath added a comment - I'm working on this today. Should have it implemented by this evening. Won't be able to commit it right away, as I need to split the commit up into smaller chunks. The changes are in EntityCrypto.
          Jacopo Cappellato made changes -
          Component/s framework [ 12311145 ]

            People

            • Assignee:
              Adam Heath
              Reporter:
              chris snow
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:

                Development