[
https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13472521#comment-13472521 ]
Adam Heath commented on OFBIZ-1151:
-----------------------------------
Technically, *any* hard-coded value, even hashed, in the seed data is bad. It'd be nice to get different per-install salt+hash values in the database. However, the only way to do that would be to store the non-hashed passwords in seed, and salt+hash them during store. That would require a change to the xml data loader.
I haven't done any of this, am just brainstorming.
If we do not go this route, then each stored hashed value should be changed to a *different* salt+hash value. There is a simple main(String[]) command in the repo that can facilitate this.
> Passwords are not salted
> ------------------------
>
> Key: OFBIZ-1151
> URL:
https://issues.apache.org/jira/browse/OFBIZ-1151> Project: OFBiz
> Issue Type: Sub-task
> Components: party
> Affects Versions: Release Branch 4.0, SVN trunk
> Reporter: Wickersheimer Jeremy
> Assignee: Adam Heath
> Priority: Minor
>
> Password are currently hashed but not seeded which may be a security issue.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:
http://www.atlassian.com/software/jira
Locked
