Details

    • Type: Sub-task Sub-task
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: Trunk
    • Fix Version/s: Trunk
    • Component/s: framework
    • Labels:
      None

      Description

      It looks as though no salt data is used when saving encrypted entity data making the stored data susceptible to dictionary attacks.

      If you look through the stored demo data, you can see all the demo accounts passwords are the same:

      UserLogin:
      admin     {SHA}47ca69ebb4bdc9ae0adec130880165d2cc05db1a
      flexadmin {SHA}47ca69ebb4bdc9ae0adec130880165d2cc05db1a
      ...
      

      As a comparison, if you create a two unix accounts, "ofbiz1" and "ofbiz2" and set both passwords to "ofbiz"

      ofbiz1:$6$3.mYZg9u$0E...:14524:0:99999:7:::
      ofbiz2:$6$MJhYeMqO$Jf...:14524:0:99999:7:::
      

      You can see that on unix, even though the passwords are the same, the encrypted values are completely different.

      For more information see:

      http://en.wikipedia.org/wiki/Salt_(cryptography)

        Issue Links

          Activity

          No work has yet been logged on this issue.

            People

            • Assignee:
              Adam Heath
              Reporter:
              chris snow
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development